ClawHub

Agent Skill

v1.1.2

A bridge between AI and building data. Read & create BIM exactly like writing code. Execute architectural design, or just model your own house!

0· 15·0 current·0 all-time
by@novashang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, and runtime instructions consistently describe a BIM authoring/workflow helper that expects a separate bimdown CLI to be installed. There are no unrelated credentials, binaries, or config paths requested.
Instruction Scope
SKILL.md confines its actions to creating/validating BIM CSV+SVG files and running CLI commands (render, build, query, publish). It explicitly requires asking the user before running npm install or before first publish, which is good. One notable omission: the 'publish' step says it will upload and return a 3D preview URL but does not document the upload destination/service or whether authentication will be required — that is a data-exfiltration surface the user should confirm before publishing project data.
Install Mechanism
The skill is instruction-only (no install spec). It tells the agent/user to run `npm install -g bimdown-cli`. Global npm installs may require elevated privileges and pull code from npm; the SKILL.md instructs to ask user permission first. Before installing, verify the bimdown-cli package source (npm/GitHub), review its publisher, and consider installing in a container or locally instead of globally.
Credentials
No environment variables, credentials, or config paths are requested or referenced. The skill's file and CLI operations align with the BIM modeling purpose and do not demand unrelated secrets.
Persistence & Privilege
Skill flags show normal privileges (always: false, user-invocable). The skill does not request permanent presence or system-wide configuration changes. It relies on user-run CLI commands and user consent for publish/install.
Assessment
This skill appears coherent with its BIM modeling purpose, but it relies on an external CLI and a publish/upload step — before proceeding: (1) Do not let the agent run npm install or publish without your explicit consent (the SKILL.md also says this). (2) Verify the bimdown-cli package source (npm page and GitHub repo), review maintainers and recent activity, and run `npm audit` or inspect the code before installing; prefer installing in a sandbox or container rather than globally if you are unsure. (3) Ask where 'bimdown publish' uploads your project and what account/credentials are used; avoid publishing sensitive information until you know the destination. (4) Back up or keep sensitive files out of the project directory, as the instructions recommend. If you want, I can help you draft the exact permission prompts the agent should present to the user before install or publish, or help inspect the bimdown-cli package metadata.

Like a lobster shell, security has layers — review code before you run it.

latestvk974t160v5xay8hsrqkfxk6fan84d1d8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments