Image To 3d Pipeline
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: image-to-3d-pipeline Version: 1.0.0 The skill bundle provides a legitimate automated pipeline for converting images to 3D models using external APIs like Replicate, Remove.bg, and Meshy. While there is a minor documentation inconsistency in SKILL.md (mixing Replicate and Meshy API keys/endpoints in examples), the logic is transparent, uses well-known service providers, and contains no evidence of data exfiltration, malicious execution, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent could be led to provide and use an unexpected third-party API token, potentially sending image jobs to a different paid service than expected.
The declared credentials omit MESHY_API_KEY, but the documented workflow uses that key to call Meshy, a different provider from the advertised Tripo3D/Replicate flow.
"env": ["TRIPOSR_API_KEY"], "optional": ["REMOVE_BG_API_KEY", "UPSCALE_API_KEY"] ... "https://api.meshy.ai/v2/image-to-3d/$TASK_ID" ... "Authorization: Bearer $MESHY_API_KEY"
Declare MESHY_API_KEY and the Meshy provider explicitly, including cost and data-flow expectations, or remove the Meshy steps and align the workflow with the declared Tripo/Replicate credential.
Running the batch example without checking the image list and pricing could consume credits, create charges, or upload more product images than intended.
The skill documents a parallel batch submission loop. This is related to the image-to-3D purpose, but it can submit multiple paid API jobs and upload multiple image URLs if run as written.
for img in "${images[@]}"; do
curl -X POST "https://api.meshy.ai/v2/image-to-3d" \
-H "Authorization: Bearer $MESHY_API_KEY" ... &
doneUse batch mode only with explicit user confirmation, reviewed image inputs, provider choice, rate limits, and cost limits.