BimDown
v1.3.0A bridge between AI and building data. Read & create BIM exactly like writing code. Execute architectural design, or just model your own house!
⭐ 0· 8·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (BIM read/create/render/publish) match the instructions: the SKILL.md describes CSV+SVG workflows, build/render/query/publish CLI commands and SOPs. Nothing requested (no env vars, no unrelated binaries) is out of scope for a BIM tool.
Instruction Scope
Instructions are focused on authoring BIM CSV/SVG, building, rendering and publishing. The SKILL.md explicitly requires asking user consent before running `npm install -g bimdown-cli` and before the first `bimdown publish`. However the publish target is not specified (the CLI will 'upload and get a shareable 3D preview URL' but SKILL.md does not name the destination or domain), which creates potential data-exfiltration ambiguity that users should confirm before publishing.
Install Mechanism
The skill is instruction-only (no install spec, no code files). It recommends installing an npm CLI (`npm install -g bimdown-cli`); that is expected for a CLI-based skill. The SKILL.md itself instructs the agent to ask for user permission before running npm install autonomously.
Credentials
No environment variables, credentials, or config paths are requested. The lack of requested secrets is proportional to the stated purpose. (Note: publishing may still require auth handled by the CLI at runtime — the skill does not declare or request any creds.)
Persistence & Privilege
Skill is not marked always:true and is user-invocable. No instructions to modify other skills or system-wide agent settings are present. The skill expects the user/agent to install a CLI tool, which is normal and scoped to this capability.
Scan Findings in Context
[no_regex_matches] expected: The static regex scanner found nothing because this is an instruction-only skill with no code files. That is expected, but it means we cannot validate runtime behavior of any external CLI the skill recommends.
Assessment
This skill appears consistent with a BIM CLI workflow, but take two precautions before proceeding: (1) Confirm exactly what `bimdown publish` uploads and where (domain/service), and avoid publishing sensitive projects until you verify the destination and privacy policy. (2) Inspect the npm package before installing globally: review the package's npm/github pages, check recent versions and maintainers, and prefer installing in a sandbox/container (or use npx) rather than running `npm install -g` system-wide. The SKILL.md itself instructs the agent to ask for permission before performing installs or the first publish — ensure the agent follows that and prompt the user for explicit consent. If you want higher assurance, ask for the npm package repo URL and the CLI's publish endpoint before installing or running it.Like a lobster shell, security has layers — review code before you run it.
latestvk97aqrfefbtw96ktnqenyvnkvx84ca3f
License
MIT-0
Free to use, modify, and redistribute. No attribution required.