ClawHub

Blueprint Intelligence

v1.0.0

AI-powered architectural blueprint analysis. Extract floor plans, structural elements, dimensions, rooms, materials, and more from construction and engineeri...

0· 41·0 current·0 all-time
by@ntriq-gh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the implementation: src/main.js calls an external AI image analysis endpoint, parses JSON, extracts rooms/elements/dimensions, and charges per successful analysis via Apify. Required binaries/env are minimal and consistent with an Apify Actor.
!
Instruction Scope
SKILL.md and code instruct pushes to Apify (Actor.pushData) and call an external AI endpoint (ai.ntriq.co.kr / x402.ntriq.co.kr). The docs state “no permanent storage of blueprints” while the actor pushes analysis results to the Apify dataset (derived data will be persisted) and the original image URLs are transmitted to the remote AI service. This is a privacy/clarity issue rather than immediate maliciousness.
Install Mechanism
No install spec; code is instruction-only plus included source files. package.json lists only apify dependency. Nothing is downloaded from obscure URLs during install; this is low risk for install-time supply chain concerns.
Credentials
The skill declares no required env vars, and the code only optionally reads AI_API_ENDPOINT and AI_REQUEST_TIMEOUT. However SKILL.md shows Apify usage (apify push, API calls) which in practice requires APIFY_TOKEN when deployed or invoked via API — that credential is not declared but is expected for Apify workflows. No unrelated secrets are requested.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges. It stores analysis results in Apify datasets (normal for an actor) and charges via Actor.charge — expected for a PPE actor.
Assessment
This skill is largely coherent with its stated purpose, but review a few things before installing: - Privacy: the actor sends image URLs to a third-party AI endpoint (ai.ntriq.co.kr / x402.ntriq.co.kr). If your blueprints are sensitive, test with non-sensitive images and confirm the vendor's handling (they claim no permanent storage, but the actor does push analysis results to an Apify dataset which will persist derived data). - Credentials: deploying or calling the Apify actor requires an APIFY_TOKEN (not listed in requires.env). Ensure you understand where that token is used and limit its scope. - Billing: the actor charges $0.25 per successful analysis via Actor.charge; validate billing behavior on test runs to avoid unexpected charges. - Endpoint trust: the AI endpoint is a third-party domain (not a major public provider). If you need higher assurance, consider running a local or vetted model endpoint, or set AI_API_ENDPOINT to a trusted host before use. If you want higher confidence, request the maintainer's security/privacy policy, confirm data retention behavior on the AI service, and run the actor in a sandbox with test images first.
src/main.js:4
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk971b0kvrk84p8s8tvdwq76h2n843csw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments