ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

HY 3D Generation

v1.0.0

输入文字或图片,通过混元生3D 3.0、3.1 模型,生成更高精度以及更高质量的3D 模型,支持文生3D,图生3D,多视图生3D,单几何生成(白模),草图生3D,智能拓扑生3D功能。

0· 507·1 current·1 all-time
by败毒@neck-cn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description say: generate 3D via 混元生3D, and the code uses Tencent Cloud AI3D SDK and endpoints (ai3d.tencentcloudapi.com). The declared need for Tencent API keys (TENCENTCLOUD_SECRET_ID / TENCENTCLOUD_SECRET_KEY) matches the described purpose.
Instruction Scope
SKILL.md instructs the agent to run the provided Python scripts (main.py / submit_job.py / query_job.py) and to default to main.py. It also enforces a 'zero-interaction' rule (agent should not ask user confirmation before running). This is specific and coherent with an automation use-case, but it does increase the potential for the agent to execute code and install dependencies without an interactive confirmation step.
Install Mechanism
There is no pre-install spec in the registry, but each script performs a runtime pip install of 'tencentcloud-sdk-python' via subprocess if the SDK is missing. Installing a well-known PyPI SDK at runtime is expected for this integration, but it does write to disk and requires outbound network/PyPI access — a moderate operational risk to consider.
Credentials
The only secrets/environment variables referenced are TENCENTCLOUD_SECRET_ID, TENCENTCLOUD_SECRET_KEY, and optionally TENCENTCLOUD_TOKEN — all justified for calling Tencent Cloud APIs. No unrelated credentials, config paths, or secret exfiltration mechanisms are present in the code or instructions.
Persistence & Privilege
The skill is not always-enabled, does not claim to modify other skills or global agent config, and does not request elevated platform privileges. It will install dependencies into the runtime environment, which is normal but persistent until uninstalled.
Assessment
This skill appears to do what it claims: call Tencent's AI3D API to create 3D models. Before installing/use: 1) Be prepared to provide Tencent API keys (TENCENTCLOUD_SECRET_ID/KEY) — use least-privileged keys and rotate them if possible. 2) Note the scripts will attempt to pip-install 'tencentcloud-sdk-python' at runtime (requires network and will write packages to the environment). If you run in a sensitive or locked environment, consider reviewing code and running it in an isolated sandbox or container. 3) The SKILL.md enforces 'zero-interaction' execution (agent may run the scripts without asking you), so only enable the skill in contexts where you trust automated script execution. 4) If you want extra assurance, inspect the full scripts locally and run them manually once to confirm behavior (submission to Tencent and retrieval of COS URLs) before allowing autonomous use.

Like a lobster shell, security has layers — review code before you run it.

latestvk975ps0yz401v4rdb1eqsv4fts82cwww

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments