Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Blender Animation
v1.0.1Generate and render 3D animations using Blender headless mode, including scene setup, object and camera animation, lighting, and output to MP4 video.
⭐ 0· 57·0 current·0 all-time
byVignesh G@vignesh8164
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill intends to run Blender in headless mode, which is coherent with its purpose, but the package metadata does not declare Blender as a required binary. skill.json lists only 'bash' as a tool; the SKILL.md expects a 'blender' binary on PATH. There's also a version mismatch: registry metadata version is 1.0.1 while skill.json contains 1.0.0. These inconsistencies mean the runtime requirements are not fully declared.
Instruction Scope
Runtime instructions direct the agent to generate a Blender Python script and execute it with Blender. A Blender (bpy) Python script has full access to Python runtime inside Blender and can: read arbitrary files, open network connections, call subprocesses, or perform other side effects. The SKILL.md lists prohibitions (no arbitrary shell commands, no access to /etc or /home), but there is no mechanism in the skill to enforce those limits — the generated script itself could violate them. The script path is /tmp/blender_script.py (attacker-writable location), increasing risk of accidental/intentional injection or replacement if the environment isn't isolated.
Install Mechanism
There is no install spec (instruction-only skill) and only a tiny wrapper script. That minimizes what the skill writes to disk. No remote downloads or extraction are present in the bundle.
Credentials
The skill declares no required environment variables or credentials, which is proportional. However, it implicitly requires a local 'blender' binary and access to /tmp; the absence of a declared binary requirement is an omission that could cause accidental misconfiguration or unexpected behavior.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It does not request persistent privileges or modify other skills. Autonomous invocation is allowed by default but not unusual and not in itself flagged here.
What to consider before installing
This skill will create and run a Blender Python script you or the agent generates. That script runs inside Blender's Python environment and can perform arbitrary file and network operations — the SKILL.md's stated 'no network / no sensitive files' rules are advisory only and not enforced by the skill. Before installing or invoking:
- Only run this skill in a strict sandbox (container/VM) with no access to host files, credentials, or network unless explicitly needed.
- Do not run unreviewed generated Blender Python scripts. Always inspect the script saved to /tmp/blender_script.py before execution.
- If you control the environment, modify scripts/run_blender.sh to safely quote the path (use "blender -b -P "$SCRIPT_PATH" ...") to avoid shell-word-splitting/injection, and consider running blender under a user with minimal permissions.
- Ensure the host has Blender installed and that you are comfortable granting it execution rights; the skill metadata does not declare this requirement.
- If you need stronger guarantees, add runtime controls: disable Python execution in Blender if possible, restrict network egress, and mount /tmp to an isolated volume.
Given these gaps between claimed constraints and what is actually executable, treat this skill as potentially dangerous unless used only in tightly sandboxed, monitored environments.Like a lobster shell, security has layers — review code before you run it.
latestvk977mmb4vf2kek5e2jh45cy3t583qcgt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.