Render Stl Png
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: render-stl-png Version: 0.1.0 The skill is classified as suspicious due to the `scripts/render_stl_png.sh` file performing a `pip install pillow` command. While `pillow` is a legitimate dependency for the skill's stated purpose of image rendering, this action involves network access to PyPI and the execution of remote code, which represents a supply chain risk. There is no clear evidence of malicious intent, but the capability to fetch and execute remote artifacts is a high-risk behavior.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
First use may download Python package code into a local cache; future package-index changes could affect the environment created by the wrapper.
When the recommended wrapper is used, it installs or upgrades packages in a cached virtual environment without a pinned Pillow version or lockfile in the artifacts.
"$VENV/bin/pip" install --upgrade pip >/dev/null "$VENV/bin/pip" install pillow >/dev/null
Use the wrapper only in a trusted environment, or pin dependency versions if repackaging or deploying this skill more strictly.