Back to skill
Skillv1.0.5
ClawScan security
CAD Viewer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 9, 2026, 1:33 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, scripts, and required actions are coherent with a CAD DWG/DXF analysis tool; it asks for network access and elevated permissions only for an explicit optional setup step to install ODA/QCAD and system packages.
- Guidance
- This skill appears to be what it claims: a CAD DWG/DXF analysis tool. Key things to consider before installing/using it: 1) The setup step (optional) will download binaries from opendesign.com and qcad.org and will use sudo to install system packages and/or rpm/deb packages — only run it if you trust those downloads and you understand it will modify the host. 2) Prefer manual installation: install ezdxf/matplotlib via pip and install ODA/QCAD yourself, then point the skill at those binaries (or set QCAD_DWG2BMP_PATH) to avoid automatic root operations. 3) Because setup.sh uses global pip/rpm/dpkg and may run rpm -i --nodeps, consider running setup inside a disposable VM or container if you are uncertain. 4) The runtime tool reads local files only; it does not request secrets or phone-home endpoints beyond the explicit downloads in setup. 5) If you want higher assurance, inspect scripts/setup.sh and scripts/cad_tools.py locally (they are included) before running any setup commands.
Review Dimensions
- Purpose & Capability
- okName/description match the included code and scripts: cad_tools.py implements the described DWG/DXF queries, screenshots, distance calculations and audit functions. The external tools (ODA File Converter, QCAD dwg2bmp) are legitimately required for DWG rendering and high-quality screenshots.
- Instruction Scope
- noteSKILL.md and README consistently instruct the user to run the included setup (explicit confirmation required) to enable DWG support; runtime commands operate on local DWG/DXF files and output JSON. The setup path does perform network downloads and uses sudo, so follow-up manual review or interactive confirmation is necessary before granting those privileges.
- Install Mechanism
- noteThere is no automated install spec in the registry (instruction-only), but the package includes a setup.sh and a setup subcommand that will (with explicit confirmation) download installers from opendesign.com and qcad.org, run rpm/dpkg, and install system packages. Downloads point to official project domains (no URL shorteners or personal servers), but the helper runs extraction/installation on the host when invoked.
- Credentials
- okThe skill does not request secrets or unrelated environment variables. It optionally honors QCAD_DWG2BMP_PATH and reads a local .setup marker; otherwise it works with local files. Elevated privileges are required only for the explicit automated setup/install step.
- Persistence & Privilege
- okalways is false and the skill does not attempt to modify other skills or global agent settings. Setup writes files into its own assets/ directory (oda_wrapper.sh, qcad extraction, .setup_done) — normal for a local tool.