ClawHub

Generate Lego 3D Build Plan

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward wrapper for a remote LEGO build-plan API, but users should treat prompts, image URLs, and the API key as data sent to that service.

Install only if you intend to use the DeepNLP/Craftsman remote API. Use a dedicated or scoped API key if available, avoid putting secrets or confidential details in prompts or image URLs, and verify the separate onekey CLI before using that recommended path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares use of an environment variable and directs users to invoke an external networked API, but it does not declare any permissions or trust boundaries. That omission can mislead reviewers and users about the skill's effective capabilities, reducing informed consent and making credential or data exposure risks easier to miss.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill tells users to submit prompts and optional images to a third-party API, but it does not clearly warn that this content leaves the local system. Users may unknowingly transmit sensitive text or images to an external service, creating confidentiality and privacy risks that are amplified by the skill's direct API-routing purpose.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation requires an API key to be exported as an environment variable but gives no guidance on protecting that credential. This increases the chance of accidental leakage through shell history, screenshots, logs, shared terminals, or unsafe script handling, which could enable unauthorized use of the external API.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script transmits user-supplied prompts and image URLs to a third-party remote endpoint without any explicit consent notice, privacy warning, or data-classification guidance. This can expose sensitive user content or internal URLs to an external service, especially in agent contexts where users may assume processing is local or may provide confidential references.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal