ClawHub

3D Maker Companion

PassAudited by ClawScan on May 1, 2026.

Overview

The skill is coherent for 3D maker workflows, but users should notice that it uses a Meshy API key, stores it locally if requested, and sends prompts or image URLs to Meshy’s external API.

This skill appears safe for its stated 3D maker purpose. Before installing, decide whether you are comfortable using a Meshy API key, storing it in a local .env file if you use set-key, and sending prompts or image URLs to Meshy’s external API.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

Anyone or any process that can read the skill directory may be able to read the saved Meshy API key.

Why it was flagged

The helper stores the Meshy API key in a local .env file. This is purpose-aligned, but it is still credential handling that users should understand.

Skill content
def set_key(api_key):
    env_path = os.path.join(os.path.dirname(__file__), "..", ".env")
    with open(env_path, "w") as f:
        f.write(f"MESHY_API_KEY={api_key}\n")
Recommendation

Prefer an environment variable or ensure the .env file has appropriate local file permissions and is not shared or committed.

NoteHigh Confidence
ASI02: Tool Misuse and Exploitation
What this means

Prompts or image URLs used for generation are sent to Meshy, and generated tasks may affect the associated Meshy account usage.

Why it was flagged

The script creates authenticated Meshy API tasks using user-provided prompts or image URLs. This matches the skill purpose, but it can send content to an external service and may consume account credits.

Skill content
response = requests.post(f"{API_URL_V2}/text-to-3d", headers=headers, json=payload)
Recommendation

Only submit content you are comfortable sending to Meshy and confirm account usage or credit costs before running generation commands.

NoteHigh Confidence
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Running the setup may install or update a local Python package outside a locked dependency set.

Why it was flagged

The documented setup installs the requests package from PyPI without a pinned version. This is expected for the Python client, but it is still a dependency installation.

Skill content
"command": "pip install requests"
Recommendation

Install in a virtual environment and pin or review dependencies if you need stricter reproducibility.