ClawHub

IPdesign-3Dprint

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed 3D character-to-print workflow that uses optional cloud image generation and local Blender scripts without evidence of hidden exfiltration or persistence.

Install only if you are comfortable providing image-generation API keys and sending design prompts to the selected provider. Run the Blender script in a fresh/background Blender session, because it clears the active scene before creating output files in /tmp/skullpanda_output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly routes user prompts and possibly reference-image-derived content to third-party image-generation services, but it does not present a user-facing privacy notice or data-sharing warning before that transmission occurs. In a creative pipeline, prompts can contain proprietary character concepts, client IP, or personal data, so silent transmission to external providers creates a real confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script immediately selects and deletes all objects in the current Blender scene and removes all materials without confirmation or isolation. In an agent or automation context, running this against an open user project can cause destructive loss of in-memory work and overwrite the user's working environment unexpectedly.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Using Gemini/Imagen 4.0 (API-only mode)
curl -X POST "https://generativelanguage.googleapis.com/v1beta/models/imagen-4.0-generate-001:predict?key=$GEMINI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "instances": [{"prompt": "Skullpanda-style character, front view..."}],
Confidence
94% confidence
Finding
curl -X POST "https://generativelanguage.googleapis.com/v1beta/models/imagen-4.0-generate-001:predict?key=$GEMINI_API_KEY" \ -H "Content-Type: application/json" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal