Kujiale 3D Model Upload
v1.0.0Validates and runs the complete 5-step Kujiale OpenAPI 3D model upload flow: STS credentials → OSS upload → trigger model parse → poll parse status → submit...
⭐ 1· 41·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description match the included Python implementation which performs STS → OSS upload → parse → poll → submit. Requested capabilities (requests, oss2, network access to openapi.kujiale.com and returned OSS endpoints) are coherent with the stated purpose. Minor inconsistency: registry metadata lists no required env vars while SKILL.md and the script require KUJIALE_APP_KEY and KUJIALE_APP_SECRET.
Instruction Scope
SKILL.md instructs the agent/user to set Kujiale credentials, optionally create a local test ZIP, run dry-run (no network), or run the real flow. The script reads only the declared credentials and ZIP file path, disables proxy/env-derived TLS overrides (explained in comments), and talks only to openapi.kujiale.com and OSS endpoints returned by the STS call. Caveat: the script has hard-coded defaults for Step 5 (location and brandCats) that will be submitted if not changed — this can cause unintended real submissions if the user runs the real flow without adjusting those values.
Install Mechanism
No install spec in the registry; the Quick Start asks to pip install requests and oss2. That is proportionate and traceable. There are no downloads from untrusted URLs or archive extraction steps in the skill metadata.
Credentials
The only sensitive environment variables the script requires are KUJIALE_APP_KEY and KUJIALE_APP_SECRET, which are appropriate for this API integration. The registry metadata omission of these required env vars is an inconsistency to be aware of. The script intentionally disables trust_env which prevents inheriting proxy/CA settings — this is explained but means it will ignore system proxy and cert environment variables.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges (always:false), does not modify other skills or system-wide configs, and does not embed built-in credentials. Autonomous invocation is allowed (platform default) but that is normal for skills; nothing else indicates a persistence or privilege escalation attempt.
Assessment
This package appears to do what it says: it runs the Kujiale 5-step upload flow and requires only your Kujiale app key/secret and network access. Before running it on a production tenant: (1) review and, if needed, change the Step 5 defaults (location/brandCats) so you don't accidentally submit unwanted metadata; (2) run python kujiale_upload.py --dry-run to validate connectivity and behavior without network calls; (3) verify the full kujiale_upload.py contents (the file in the package is the runtime behavior — confirm there are no additional hidden endpoints or logging of secrets); (4) supply credentials in a safe way (env vars or CLI) and avoid running with elevated token exposure; (5) be aware the script disables proxy/certificate env overrides (trust_env=False) which is intentional but may change how your environment routes traffic. I have medium confidence because registry metadata omitted required env vars and a truncated code listing was provided — a full review of the complete file contents and a test dry-run would increase confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk974r5s9ef1na0mnvgd7c1nbph841xvc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.