Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
tripo3d
v1.0.1Tripo3D AI 3D model generation. Use when generating 3D models from text prompts or images via the Tripo3D API. Supports Text-to-3D, Image-to-3D, Multiview-to...
⭐ 1· 33·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md clearly requires a TRIPO3D_API_KEY and describes calling the Tripo3D API (endpoints, uploads, downloads), which is coherent with the skill's name and description. However, the registry metadata lists no required env vars or primary credential — that is inconsistent and misleading for users who expect credential requirements to be declared. The SKILL.md also assumes PowerShell/.NET for downloads (Windows-specific) but the skill declares no OS or binary requirements.
Instruction Scope
Instructions focus on creating tasks, uploading images, polling status, and downloading models — all within the stated purpose. Concerns: (1) the doc strongly pushes PowerShell/.NET WebClient and a particular local proxy (Clash Verge on port 7897), which is operational guidance that could route traffic through a local proxy; (2) polling guidance is inconsistent (it says poll every 5–10s, but also says 'Never block with sleep' and 'poll only when user asks'); (3) SKILL.md requires access to an API key (not declared in metadata). The instructions do not ask the agent to read unrelated files or other credentials.
Install Mechanism
No install spec and no code files — instruction-only skill. This minimizes on-disk footprint and is the lowest-risk install pattern.
Credentials
The runtime docs require TRIPO3D_API_KEY (appropriate for an API client), but the registry metadata did not declare any required env vars or a primary credential. That discrepancy is a red flag: users may not realize they must supply an API key. No other credentials are requested, which is proportionate to the described functionality.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. It is user-invocable and allows autonomous invocation (the platform default); that alone is expected and not a reason to flag.
What to consider before installing
The SKILL.md appears to implement a legitimate Tripo3D API client, but the registry metadata does not declare the TRIPO3D_API_KEY that the instructions require — this mismatch is the main concern. Before installing: (1) confirm the skill owner and whether the registry metadata will be corrected to list TRIPO3D_API_KEY; (2) only provide an API key you can revoke (create a scoped/test key if the platform allows); (3) be aware the instructions favor PowerShell/.NET and a local proxy (127.0.0.1:7897) — routing traffic through a proxy can expose requests to interception, so avoid enabling unknown system proxies; (4) test on an isolated account/environment first to confirm behavior; (5) ask the maintainer why the metadata omits required env vars and why Python/aiohttp is discouraged. These checks will reduce risk and clarify whether the inconsistencies are just sloppy packaging or something more suspicious.Like a lobster shell, security has layers — review code before you run it.
latestvk9724tbe6eksdydjspvptsjmh9843gqa
License
MIT-0
Free to use, modify, and redistribute. No attribution required.