ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Copilot For Revit Skill

v1.0.1

让 OpenClaw 能够操作 Revit。当用户提及 Revit 相关操作(图纸、标注、视图、元素等)时自动调用。 支持的操作包括: - 检查 Revit 状态 - 列出可用工具 - 执行 Revit 命令(生成图纸、创建标注、查询元素等)

0· 113·0 current·0 all-time
by@ryanchan720
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name and description match the implementation: the skill calls a local openclaw-bridge to talk to a Revit MCP service. The script and SKILL.md expect REVIT_MCP_URL and OPENCLAW_BRIDGE_DIR which are appropriate for this purpose. However the registry metadata earlier said "Required env vars: none" while SKILL.md declares two required env vars — an inconsistency that should be resolved.
!
Instruction Scope
SKILL.md instructs automatic activation on Revit-related keywords and to call the remote Revit MCP service to run commands (including commands that modify or delete elements). The document explicitly warns about destructive operations but the default behavior (automatic activation + no command-execution confirmation by default) risks accidental destructive changes. Instructions do not ask to read unrelated system files or secrets, but they do require network access to a Windows host on port 18181.
Install Mechanism
This is instruction-only with a small helper script; there is no download/install spec. The script invokes the local openclaw-bridge repo via 'uv run' in the configured directory — this is consistent with the stated workflow and doesn't pull arbitrary remote binaries in the skill itself.
Credentials
The only environment/config items used are REVIT_MCP_URL and OPENCLAW_BRIDGE_DIR, which are appropriate and low-privilege (no API keys or secrets requested). The mismatch between registry metadata (which listed no required env vars) and SKILL.md declarations should be fixed so users know what to set.
!
Persistence & Privilege
always:false (good) and model invocation is allowed (normal). However, because the skill is configured to auto-trigger on keywords and can execute modifying commands on a remote Revit instance, autonomous invocation increases the risk of unintended destructive actions. Recommend enabling explicit command-confirmation before making changes and restricting automatic activation.
What to consider before installing
This skill appears to be what it says: it calls a Revit MCP service via a local openclaw-bridge. Before installing, do the following: (1) Verify and set REVIT_MCP_URL and OPENCLAW_BRIDGE_DIR in your environment — the registry metadata currently doesn't list them, so the SKILL.md is the authoritative source. (2) Only use on a trusted network where the Linux host can reach the Windows Revit MCP port. (3) Treat it as potentially destructive: test in a non-production Revit project first and enable any available command-confirmation in OpenClaw. (4) Consider disabling automatic keyword activation or require an explicit 'use Revit' prefix so the agent doesn't run commands accidentally. (5) Inspect and trust the openclaw-bridge code in OPENCLAW_BRIDGE_DIR (it's executed by the script). If you need higher assurance, request the publisher clarify the metadata mismatch and add an explicit confirmation step before commands that modify Revit models.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a30q4p26gv55t0fgj99s6es836ndw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments