ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PrintPal 3D Generation

v1.0.2

Generate 3D models for 3D printing from images or text prompts using PrintPal API. Use when the user wants to create 3D printable models, convert images to S...

6· 1.4k·3 current·3 all-time
byPeter Lebiedzinski@plebbyd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill name/description (PrintPal 3D generation, image-to-3D, text-to-image, SEO) matches the included scripts (generate_3d.py, seo_product_photos.py, save_image.py, serve_files.py) and the declared runtime behavior (calls to PrintPal, WaveSpeed, OpenRouter). One inconsistency: the registry metadata at the top indicated 'Required env vars: none' while SKILL.md and the scripts require PRINTPAL_API_KEY (required) and optionally WAVESPEED_API_KEY and OPENROUTER_API_KEY. This is a metadata mismatch but the requested env vars themselves are proportionate to the stated purpose.
Instruction Scope
The SKILL.md instructions stay within the scope: accept image paths/URLs or text prompts, optionally generate images with WaveSpeed, send images to PrintPal for 3D generation, and generate SEO text via OpenRouter. Scripts download user-supplied images and call external APIs; they do not attempt to read unrelated system files or hidden credentials. The serve_files.py script can start a local HTTP server and — if --public is used — bind to 0.0.0.0 (explicitly warned in docs). The skill explicitly notes that downloaded content is untrusted and warns about third‑party packages.
Install Mechanism
There is no automated install spec in the registry (instruction-only install). SKILL.md recommends installing Python packages via pip (printpal, wavespeed, requests). No archives or external arbitrary download URLs are used by the installer; dependencies are standard pip packages (moderate but expected risk).
Credentials
The environment variables requested (PRINTPAL_API_KEY required, WAVESPEED_API_KEY and OPENROUTER_API_KEY optional) are directly relevant to calling the respective third-party APIs. This is proportionate. Notes: (1) the top-level registry metadata omitted these env requirements while SKILL.md includes them — an inconsistency the user should verify; (2) the skill will transmit images and prompts to external services (PrintPal, WaveSpeed, OpenRouter), so those API keys will be used to authenticate network requests and could be used to access your accounts on those services.
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable. It does instruct users to configure API keys in the OpenClaw config file (~/.openclaw/openclaw.json), which is normal for skills. It does not modify other skills or global system configs. Be aware the serve_files script has an explicit --public flag to expose files network-wide — use with caution.
Assessment
This skill appears to be what it says: it generates 3D models using PrintPal and optionally uses WaveSpeed (images) and OpenRouter (SEO). Before installing or using it: - Verify the registry metadata vs SKILL.md: the registry summary omitted required env vars but the skill needs PRINTPAL_API_KEY (required) and optionally WAVESPEED_API_KEY and OPENROUTER_API_KEY — only set those if you trust those services and keys. - Understand that images (including ones downloaded from user-supplied URLs) and prompts are transmitted to external services (printpal.io, wavespeed.ai, openrouter.ai). Do not send sensitive images or data. - Review and vet the pip packages (printpal, wavespeed, requests) before pip installing, and prefer installing in a virtualenv. - The local file server defaults to localhost, but using --public or binding to 0.0.0.0 will expose files to the network; avoid that unless intended. - If you need higher assurance, ask the publisher for a provenance link/homepage or inspect the printpal/wavespeed package source on PyPI/GitHub to confirm no unexpected behavior. If anything about the registry metadata or publisher identity seems off, treat it with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk971q6sxrnhz3tjgnx7bpbzfy181yrt3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments