Tripo 3d
PassAudited by ClawScan on May 10, 2026.
Overview
Tripo 3d appears to do what it claims, but using it sends your model prompts or image links to Tripo or its proxy and creates a small persistent ID file for free-credit tracking.
This skill is reasonable to install if you are comfortable using Tripo or the listed proxy for 3D generation. Before installing, verify the publisher if you plan to add an API key, avoid sending confidential images or product designs unless acceptable, and be aware that the free-tier path uses a persistent local ID file for quota tracking.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your model descriptions and image links may be visible to Tripo or the proxy operator.
The skill sends user prompts, image URLs, and optional file URL arrays to Tripo or the free-tier proxy, which is expected for a cloud 3D-generation service but means user inputs leave the local agent.
const TRIPO_API_BASE = "https://api.tripo3d.ai/v2/openapi"; const PROXY_BASE = "https://skills.vast-internal.com/platform/tripo"; ... prompt, type, image_url, files
Do not submit confidential prompts or private image URLs unless you are comfortable with that provider processing them; use your own Tripo API key if you prefer the direct Tripo route.
A configured API key can create paid or account-linked Tripo tasks, and a proxy secret authorizes access to the free-tier proxy.
The skill declares optional credentials for direct Tripo access or the proxy free tier. This is purpose-aligned and disclosed, but users should treat these as account/proxy access secrets.
"TRIPO_API_KEY": { ... "required": false }, "TRIPO_PROXY_SECRET": { ... "sent as x-proxy-secret header"Store secrets only through OpenClaw configuration, verify the publisher before adding keys, and rotate keys/secrets if you no longer trust the skill.
The proxy can link free-tier requests from the same installation, and the local ID file remains after using the skill.
The skill creates a persistent local identifier and sends it as user_id to the proxy for free-credit tracking. It is bounded to a single dotfile, but it persists beyond a single task.
const idFile = join(baseDir, ".tripo-skill-id"); ... writeFileSync(idFile, id, "utf-8"); ... user_id: userId
The skill should document this file and ideally store it under an OpenClaw-managed skill directory; users can remove ~/.tripo-skill-id if they want to reset that local identifier.
It may be harder to confirm whether this package is an official Tripo-maintained integration before trusting it with keys or sensitive prompts.
The registry metadata does not provide a verified source or homepage even though the skill handles optional API/proxy secrets and routes data to external services.
Source: unknown; Homepage: none
Verify the publisher and endpoint ownership before configuring secrets or using the skill for confidential assets.