ClawHub

Blender Mcp

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Blender bridge, but it gives an agent broad control over Blender, external asset imports, and Python execution without enough built-in safeguards.

Install only if you trust the external `blender-mcp` package that `uvx` will run and are comfortable giving the agent live Blender automation and Python execution authority. Keep backups, verify or pin the MCP server version, and require explicit approval before downloads, imports, renders, saves, or any `execute_code` use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares powerful MCP/environment-linked capabilities without explicitly declaring permissions or constraining what the bridge may access. In a skill that can run arbitrary Blender Python and interact with a live local application, missing permission disclosure increases the chance of silent scene, file, or host-side side effects beyond user expectations.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The documentation expands the skill from a Blender bridge into third-party asset search and download, which changes the trust and attack surface in ways not reflected by the stated scope. Scope drift is dangerous because users and orchestrators may authorize a local bridge while not realizing it also performs network retrieval and imports untrusted content into the scene.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Advertising network-based third-party asset retrieval introduces supply-chain and content-import risk that is not clearly justified or bounded by the bridge purpose. Downloading remote models and assets into Blender can expose users to malicious files, licensing issues, or unexpected scene/script behavior if import paths are not tightly controlled.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The bridge forwards arbitrary tool names and arguments to the underlying MCP server with no allowlist or policy enforcement, while the advertised capability set includes an execute_code tool that can run Blender Python. In this context, that effectively exposes arbitrary code execution inside the Blender environment, which is materially broader than simple scene querying or object/material manipulation and can lead to file access, network access, or host-side actions available to Blender/Python.

Vague Triggers

Medium
Confidence
74% confidence
Finding
The broad guidance to use the skill for generic real-time feedback or complex modeling tasks can cause over-invocation of a highly privileged bridge. When a skill capable of code execution and file modification is invoked too readily, ordinary modeling requests may escalate into unnecessary access to local applications, files, or networked assets.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The examples include saving a .blend file and rendering output without warning that these actions modify local project state and may overwrite or create files. In a live Blender bridge, such actions can cause data loss, unintended persistence, or unauthorized writes if triggered without explicit consent and clear file-path controls.

Missing User Warnings

High
Confidence
98% confidence
Finding
Exposing an `execute_code` tool for arbitrary Blender Python execution gives the skill effectively unrestricted control over the Blender session and potentially the host environment reachable from Python. Without clear warnings, sandboxing, or approval gates, this can be used to alter scenes, write files, exfiltrate data, or run harmful local actions under the guise of normal 3D automation.

Missing User Warnings

Low
Confidence
70% confidence
Finding
The executable path is derived from `USERPROFILE` and then executed with `shell: true`, which increases risk if the environment variable is manipulated or points to an attacker-controlled location. In the context of a Blender MCP bridge that can perform powerful local actions, launching the wrong binary could result in arbitrary code execution under the user's privileges.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal