Back to skill
Skillv1.0.0
ClawScan security
claw3d · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 10:29 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (AI model creation, Thingiverse search, slicing, printing) matches the environment variables, install, and runtime instructions — nothing requests unrelated secrets or odd system access — but review the installer package and be aware the skill instructs the agent to run long-running CLI commands and write printer config to your home directory.
- Guidance
- This skill is coherent with its stated purpose: it needs a FAL.ai API key to generate 3D models and a Thingiverse access token to search. Before installing, you should: (1) verify the source of the 'claw3d' package published to your 'uv' registry or the GitHub repo linked in the metadata; (2) be aware the skill will run CLI commands in the agent's environment, create/modify ~/.config/claw3d/config.json, and may execute long-running processes (convert/preview/slice) automatically when invoked — so avoid enabling printing in shared or production environments without checking the printer target; (3) confirm you are comfortable storing the FAL_API_KEY and Thingiverse token for this skill and consider giving only the minimal-scoped keys required; (4) if you don't need all capabilities, enable only the modules you plan to use (the repository and build script support modular builds). If you want a deeper review, provide the 'claw3d' package source (uv registry link or package contents) and the CLI's network endpoints to check for any unexpected external communications.
Review Dimensions
- Purpose & Capability
- okName/description, manifest, and SKILL.md consistently describe a 3D workflow. Required env vars (FAL_API_KEY for AI generation, THINGIVERSE_ACCESS_TOKEN for search) and a single binary ('claw3d') are appropriate and expected for the declared capabilities.
- Instruction Scope
- noteSKILL.md instructs the agent to run numerous claw3d CLI commands, handle media paths, create previews, slice, and upload/print. Those actions are in-scope for a 3D workflow. Two behavioral items to note: (1) the prompt strongly requires executing commands in the same turn (immediate, non-interactive execution) and waiting for long-running commands to finish before returning control, which raises operational concerns (unexpected prints or network calls if enabled); (2) it references optional GEMINI_API_KEY and suggests editing openclaw.json for Telegram limits (these are additional configuration points not declared as required). None of the instructions ask the agent to read unrelated secrets or system files beyond standard workspace and the claw3d config.
- Install Mechanism
- okInstall spec uses a package 'claw3d' via 'uv' (a package-kind entry). There are no direct downloads from arbitrary URLs or archive extraction steps in the manifest or build script. The build script assembles markdown into SKILL.md; no suspicious installer chains were found.
- Credentials
- noteThe two required env vars (FAL_API_KEY, THINGIVERSE_ACCESS_TOKEN) are proportional and justified by the AI generation and Thingiverse search functionality. Primary credential is FAL_API_KEY which aligns with the skill's emphasis on AI conversion. Minor inconsistency: SKILL.md/setup notes mention GEMINI_API_KEY as an optional/recommended key but GEMINI_API_KEY is not declared in the manifest's required/optional lists — this is an informational discrepancy to be aware of but not necessarily malicious.
- Persistence & Privilege
- okThe skill is not always:true and follows default autonomous-invocation behavior. It documents writing printer registration and profile state to ~/.config/claw3d/config.json (expected for a CLI printer manager). It does not request system-wide modifications beyond its own config files or other skills' credentials.