Photo to 3D

PassAudited by ClawScan on May 1, 2026.

Overview

The skill does what it claims—turns a user-provided image into a 3D model using Gemini and Tripo3D—but users should know their images and API keys are used with external services.

This skill appears purpose-aligned and non-malicious based on the provided artifacts. Before using it, make sure you are comfortable uploading the chosen image to Gemini and Tripo3D, use appropriate API keys, and install any missing Python dependencies from trusted sources.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI03: Identity and Privilege Abuse

What this means

If installed and used, the skill can consume the user's Gemini and Tripo3D API quota and perform requests under those accounts.

Why it was flagged

The skill requires provider API keys. This is expected for the advertised Gemini and Tripo3D integration, but users should understand that the skill acts under those API credentials.

Skill content

- `GEMINI_API_KEY` — Get from https://aistudio.google.com/apikey
- `TRIPO_API_KEY` — Get from https://platform.tripo3d.ai/

Recommendation

Use dedicated or least-privileged API keys where possible, monitor provider usage, and revoke keys if they are no longer needed.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Photos processed by the skill are uploaded to third-party services, which may matter if the images are private, confidential, or copyrighted.

Why it was flagged

The script sends the input image or generated image to Gemini and Tripo3D APIs. This matches the stated pipeline, but it means image data leaves the local environment.

Skill content

requests.post(url, json=payload, timeout=120) ... requests.post("https://api.tripo3d.ai/v2/openapi/upload", headers=headers, files={"file": (img_path.name, f, "image/png")}, timeout=60)

Recommendation

Only use images you are comfortable sending to Gemini and Tripo3D, and review those providers' data retention and privacy terms.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

The skill may fail until dependencies are manually installed, and users may need to decide how to obtain the missing package.

Why it was flagged

The script depends on the Python requests package, while the provided install specifications do not declare dependencies. This is a setup/provenance clarity issue rather than evidence of unsafe code.

Skill content

import requests

Recommendation

Install dependencies from trusted package sources and prefer a pinned requirements file or documented setup instructions from the skill publisher.