ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tripo 3d

v2.0.5

Generate 3D models from text or images. Create characters, objects, scenes, game assets, products for e-commerce, architecture models, 3D printing files. Aut...

2· 562·3 current·3 all-time
byTommy@meterlong
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and instructions: the skill implements text-to-3D, image-to-3D, rigging, animation, stylization, conversion, and credits checking. Network outbound permission is expected. No unrelated credentials or system services are requested.
Instruction Scope
Runtime instructions stay on-task (map user intents to generate/status/download/rig/animate/etc.). They do not instruct broad system reconnaissance. One caveat: the implementation persists a small identifier file in the user's home directory (~/.tripo-skill-id) to track user_id for the free-tier proxy — this is outside purely ephemeral runtime behavior and is persistent.
Install Mechanism
There is no install spec and no external downloads; the skill is instruction+small JS runtime (index.mjs). No archive downloads or third-party package installs are performed by the skill itself.
Credentials
Declared optional secrets are proportional: TRIPO_API_KEY (your Tripo account key) and TRIPO_PROXY_SECRET (shared secret for the operator's free-tier proxy). TRIPO_API_KEY is the safer direct option. The TRIPO_PROXY_SECRET mechanism requires sending that secret to skills.vast-internal.com as x-proxy-secret; only set it if you trust the proxy operator. No other unrelated secrets are requested.
Persistence & Privilege
always:false and autonomous invocation are normal. The skill does write a small file (.tripo-skill-id) into the user's HOME (or falls back to an ephemeral in-memory id) so the proxy can track quota — this creates modest persistence on the host but does not modify other skills or system-wide configs.
Assessment
This skill appears to do what it claims. Before installing, consider: 1) Prefer setting your own TRIPO_API_KEY (your account key) so requests go directly to Tripo rather than through the operator proxy. 2) Only set TRIPO_PROXY_SECRET if you explicitly trust the proxy operator (the secret is sent to the proxy as x-proxy-secret). 3) The skill will create a small file named .tripo-skill-id in your home directory to identify you to the free-tier proxy; it's harmless but persistent — you can remove it later. 4) The skill makes outbound network calls and will upload images you provide (or proxy metadata) to the Tripo service or the proxy; do not send sensitive personal data unless you accept that. If you need more assurance, ask the skill author for details on the proxy operator and how free-tier quotas are enforced.
index.mjs:12
Environment variable access combined with network send.
!
index.mjs:2
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk974g34tx9b5d2r3sqb6a8m18183twnj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments