Image To Relief Stl
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: image-to-relief-stl Version: 0.1.0 The skill bundle is benign. It provides a tool to convert images into 3D-printable bas-relief STL models. The `SKILL.md` file contains clear, benign instructions for the agent and user, with no evidence of prompt injection. The `scripts/image_to_relief.sh` orchestrates the process, creating a Python virtual environment to install `pillow` and optionally using `potrace` and `mkbitmap` (declared dependencies) for SVG preview generation. The `scripts/image_to_relief.py` contains the core logic for image processing and 3D mesh generation, using standard libraries. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or obfuscation across any of the files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent processes a maliciously crafted filename and preview generation is enabled, code could run locally under the user's account.
The unquoted heredoc expands the user-controlled input path directly into Python source code. A filename containing quotes or newlines could alter the Python code executed when --preview-svg is used.
"$VENV/bin/python" - <<PY
from PIL import Image
img = Image.open("$IN").convert('RGBA')
...
mask.save("$TMPDIR/preview.pbm")
PYPass paths as arguments or environment variables to a quoted heredoc, for example `python - "$IN" "$TMPDIR/preview.pbm" <<'PY'`, then read them with `sys.argv`; avoid interpolating file paths into generated code.
First use may fetch third-party code from the Python package ecosystem and keep it in a cached virtual environment.
The wrapper downloads and installs an unpinned Python package on first run. Pillow is purpose-aligned for image processing, but the dependency version and provenance are not pinned in the artifacts.
python3 -m venv "$VENV" "$VENV/bin/pip" install --upgrade pip >/dev/null "$VENV/bin/pip" install pillow >/dev/null
Pin the Pillow version, declare the Python dependency in the skill metadata or installation instructions, and let users approve first-run dependency installation.