Security audit

BimDown

Security checks across malware telemetry and agentic risk

Overview

BimDown is a coherent BIM modeling skill with disclosed local file operations, a permission-gated CLI install, and an optional permission-gated public sharing feature.

Install only if you are comfortable with the external bimdown-cli npm package. Before publishing, review the BIM project for confidential addresses, client names, unpublished designs, notes, or GLB/model files, and confirm the destination endpoint if BIMCLAW_API or --api is used.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

External Transmission

Medium

Category: Data Exfiltration
Content: 9. **`bimdown resolve-topology <dir>`**: Auto-detects coincident endpoints for MEP curves, generates `mep_nodes`, and fills connectivity fields. 10. **`bimdown merge <dirs...> -o <output>`**: Merges multiple project directories into one, resolving ID conflicts. 11. **`bimdown sync <dir>`**: Hydrates into DuckDB and dehydrates back out to CSV/SVG, applying computed defaults. 12. **Downloading a shared project**: If the user provides a share link like `https://bim-claw.com/s/<token>`, append `/download` to get the zip: `curl -L https://bim-claw.com/s/<token>/download -o project.zip && unzip project.zip -d project/` ## Publishing & Data Upload
Confidence: 60% confidence
Finding: curl -L https://bim-claw.com/s/<token>/download -o project.zip && unzip project.zip -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal