ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Cad Generator

v1.0.1

豆豆CAD/3D能力提升方案的核心技能。 接收用户描述,生成JSON参数定义文件,通过FRP隧道发送到M4 Pro执行重计算和渲染。 支持郁金香花瓣等参数化模型生成。

0· 67·0 current·0 all-time
by@zimuge-doudou

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zimuge-doudou/skill-cad-generator.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Skill Cad Generator" (zimuge-doudou/skill-cad-generator) from ClawHub.
Skill page: https://clawhub.ai/zimuge-doudou/skill-cad-generator
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install skill-cad-generator

ClawHub CLI

Package manager switcher

npx clawhub@latest install skill-cad-generator
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (generate JSON params and push to local M4 Pro via FRP) matches the declared network outbound permission to localhost:3006 and the manifest's external API dependency. However there are mismatches: SKILL.md shows JavaScript API calls (generateTulipPetal, extractParams) but repository provides only Python modules. Manifest allows writing to ~/DouCAD/engine/ and ~/DouCAD/output/, but the Python code writes only to a local 'projects' folder within the package. Also the manifest input/output schema differs from SKILL.md (e.g., SKILL.md says output limited to obj/png; manifest's input_schema allows stl/dxf).
!
Instruction Scope
SKILL.md instructs sending JSON to http://localhost:3006/generate (via FRP 6003) and presents JS usage examples, but none of the Python implementation files implement any HTTP client or code to POST to that endpoint. The runtime instructions assume functions/APIs that do not exist in the shipped code. SKILL.md claims network isolation and no auth on M4 Pro (internal), but there is no code-level enforcement or proof of that behavior. This gap grants the agent broad discretion in how to implement the described behavior at runtime and could lead to unexpected network/file actions if modified.
Install Mechanism
No install spec (instruction-only) and no downloads — lowest install risk. Files are bundled with the skill; nothing is fetched from external URLs during install.
Credentials
The skill declares no required environment variables or credentials, which is consistent with an internal LAN-only workflow. However the manifest requests file_system write permissions to '~/DouCAD/engine/' and '~/DouCAD/output/' that the provided code never uses (it writes to a local 'projects' directory). That elevated file write scope is disproportionate to the implemented code and should be justified or narrowed.
!
Persistence & Privilege
The skill is not always-enabled and does not request elevated system execution privileges. Still, the manifest grants write access to project/engine/output paths under the user's home, which is broader than the code's actual behavior; granting such filesystem write permissions increases persistence/impact if the skill were later modified. No other skills or system-wide configs are modified by the code.
What to consider before installing
This skill is plausible for forwarding CAD parameters to a local renderer, but there are multiple inconsistencies you should resolve before installing: 1) The SKILL.md shows JS API usage (generateTulipPetal/extractParams) but only Python modules are shipped — verify which runtime and API surface your agent will actually call. 2) The skill claims to POST to http://localhost:3006/generate, but no HTTP client or network code is present; ask the author for the implementation or plan for how the agent will send data. 3) The manifest grants write permission to ~/DouCAD/engine/ and ~/DouCAD/output/ even though the code writes only to a bundled 'projects' folder — narrow filesystem permissions if possible. 4) Confirm that the M4 Pro endpoint is truly internal and requires no authentication; lack of auth is a risk if the tunnel is misconfigured. 5) Test the skill in a restricted/sandboxed environment first (no sensitive files, limited network) and request updated, consistent documentation and an implementation that matches the declared APIs and permissions. If you cannot get these clarifications, treat the skill as untrusted and avoid granting broad filesystem or network privileges.

Like a lobster shell, security has layers — review code before you run it.

latestvk97076szmvgafjsw4zgdsdc15d84spar
67downloads
0stars
1versions
Updated 2w ago
v1.0.1
MIT-0
@zimuge-doudou
latest
Download

invocation_mode: both preferred_provider: minimax

CAD生成器技能 v1.0

功能概述

豆豆作为参数定义引擎,M4 Pro作为图形工作站的协同架构:

  • 豆豆职责:理解用户需求 → 生成JSON参数定义 → 推送到M4 Pro
  • M4 Pro职责:接收参数 → Three.js渲染 → 生成OBJ/CAD文件 + 预览图

通信协议

JSON参数格式

{
  "model_type": "tulip_petal",
  "params": {
    "radius": 45,
    "curvature": 0.75,
    "twist": 35,
    "length": 120,
    "segments": 32,
    "material": "acrylic",
    "color": "#FF69B4"
  },
  "output": {
    "format": "obj",
    "preview": "png"
  }
}

M4 Pro服务端点

使用方法

生成郁金香花瓣

// 输入:用户描述文本
// 输出:3D模型文件 + 预览图
const result = await skill_cad_generator.generateTulipPetal(userDescription);

参数提取

// 输入:自然语言描述
// 输出:结构化参数对象
const params = await skill_cad_generator.extractParams(description);

依赖项

  • FRP隧道 (6003端口 → M4 Pro:3006)
  • M4 Pro Three.js引擎 (~/DouCAD/engine/)
  • HTTP客户端库

安全性说明

  • 参数验证:所有数值参数都有合理范围限制
  • 模型类型白名单:只允许预定义的模型类型
  • 输出格式限制:仅支持obj/png格式
  • 网络隔离:仅通过FRP隧道与M4 Pro通信

HTML页面集成

  • 集成在设计部工作台 (design.html)
  • 灯光/音响/视频部门的CAD生成功能
  • AI助手对话中可直接调用

Comments

Loading comments...