Back to skill
Skillv1.0.1
ClawScan security
2D to 3D Image Converter – Transform 2D Images into 3D Models Free Online · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 10, 2026, 8:17 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose, required credential, and runtime instructions are internally consistent with a WeShop API-based 2D→3D conversion; there are no unexpected binaries, installs, or unrelated credentials requested — but the publisher/homepage is missing so exercise normal caution before giving an API key or uploading sensitive images.
- Guidance
- This skill appears coherent for calling WeShop's 2D→3D API and only asks for the corresponding API key. Before installing or supplying WESHOP_API_KEY: (1) verify you trust openapi.weshop.ai and the publisher — there is no homepage listed here, so confirm the source; (2) avoid uploading sensitive or private images until you understand WeShop's privacy/retention policies; (3) prefer creating a limited-scope or test API key and test with non-sensitive images first; (4) rotate and revoke the key if you stop using the skill; (5) if you need assurances, ask for a homepage, privacy policy, or official docs for the specific API endpoints referenced.
Review Dimensions
- Purpose & Capability
- okName/description match the instructions which target openapi.weshop.ai and the declared primary env var WESHOP_API_KEY. No unrelated env vars, binaries, or install steps are requested, so required privileges align with the stated conversion purpose.
- Instruction Scope
- noteSKILL.md confines actions to the WeShop OpenAPI endpoints (start run, poll run, upload images). It warns not to send the API key to other domains. One operational detail: the skill implies uploading image data (POST /openapi/agent/assets/images), which means the agent will read image data and transmit it to openapi.weshop.ai — expected for this task but relevant for privacy-sensitive images.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing will be written to disk or installed by the skill itself.
- Credentials
- okOnly a single credential (WESHOP_API_KEY) is required and is clearly tied to the declared API host. The SKILL.md documents how the key is used (raw Authorization header). No extra or unrelated secrets are requested.
- Persistence & Privilege
- noteThe skill is not marked always:true and is user-invocable; model invocation is allowed (default). That is normal, but granting an autonomous agent a network-capable skill plus an API key means the agent could transmit data (images) to the external service without further user interaction — consider that when deciding to provide credentials or upload sensitive content.