RhinoClaw
Security checks across static analysis, malware telemetry, and agentic risk
Overview
RhinoClaw looks like a coherent Rhino automation skill, but it gives the agent very broad Rhino control, including arbitrary script execution and remote socket access, without clear safeguards.
Install only if you trust the RhinoClaw plugin and intend to let an agent control Rhino. Keep the TCP service local or tightly firewalled, back up CAD files before agent actions, require approval for raw script execution, file export/save, delete/boolean operations, and deployment, and verify any external Rhino Compute Platform tooling before use.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or prompt-influenced agent action could execute arbitrary Rhino/Python code with the permissions available to the Rhino environment, not just use the safer modeling wrappers.
The skill can take inline or file-sourced Python code and send it to Rhino for execution; the provided artifacts do not show sandboxing, validation, or an explicit confirmation gate.
exec_parser.add_argument("--code", help="Python code string"); exec_parser.add_argument("--file", help="Python script file to execute"); ... client.send_command("execute_rhinoscript_python_code", {"code": code})Only allow raw script execution for code you have reviewed, require explicit user confirmation for `exec`-style actions, and keep backups of Rhino projects.
If the RhinoClaw TCP port is exposed or the agent is pointed at the wrong host, CAD document data and control commands may cross machine boundaries unexpectedly.
The connection can target a remote Rhino host, and the example configuration shows only host/port-style connection data with no authentication or identity boundary in the artifacts.
"host": "YOUR_RHINO_HOST_IP", "port": 1999 ... "remote": "Use the Tailscale/LAN IP of the Windows machine running Rhino"
Prefer localhost/local-only mode where possible, restrict port 1999 with firewall or VPN/Tailscale ACLs, and verify the target host before allowing agent control.
A malicious or accidental definition name could create or overwrite files in unexpected local locations during deployment.
A user- or agent-supplied definition name is joined directly into output paths; absolute paths or `..` segments could write outside the intended compute-platform definitions directory.
deploy_parser.add_argument("--name", required=True, help="Definition name") ... dest_file = dest_dir / f"{name}.gh" ... meta_path = COMPUTE_PLATFORM_DEFS / f"{name}.meta.json"Constrain deployment names to safe basenames, reject path separators and absolute paths, resolve the final path, and confirm it remains under the intended definitions directory before writing.
Deploy behavior depends on a separate local project/tool that may differ between machines or be modified independently of this skill.
The optional deploy workflow runs a local external `meta_gen.py` tool outside the skill package if it exists; this is purpose-aligned but its provenance is not reviewed in the supplied artifacts.
META_GEN_TOOL = Path.home() / "projects" / "rhino-compute-platform" / "tools" / "meta_gen.py" ... subprocess.run([sys.executable, str(META_GEN_TOOL), str(dest_file), "--force"], ...)
Verify and pin the Rhino Compute Platform tooling before using deploy actions, and run deployment manually if you are unsure.
The agent can make irreversible-looking changes to the active Rhino document if the project is not saved or backed up.
Boolean operations delete or replace input geometry by default unless `--keep` is used; this is normal CAD behavior but destructive if used unintentionally.
def boolean_union(object_ids: list, delete_input: bool = True) ... union_p.add_argument('--keep', '-k', action='store_true', help='Keep input objects')Save versions before agent-driven modeling, and ask the agent to use `--keep` or request confirmation for destructive edits.