Skillv1.1.0

ClawScan security

Lux3D 3D Model Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 13, 2026, 10:57 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package mostly implements a legitimate 2D→3D client, but there are inconsistencies (missing declared env var, unknown source/homepage, and some questionable security choices) that you should understand before installing or trusting it with sensitive images or keys.
Guidance: Before installing or using this skill: - Expect to provide an API key in LUX3D_API_KEY (base64 invitation code). The registry metadata incorrectly states no required env vars — confirm this before trusting the package. - The client sends your image (base64) to https://api.luxreal.ai; do NOT send sensitive or private images unless you trust that remote service and its privacy policy. - Verify the origin: the skill has no homepage and source is 'unknown'. The SKILL.md points to a GitHub repo and an email domain (qunhemail.com) and a Microsoft Forms link — investigate those links independently to confirm legitimacy. - Cryptographic note: the client uses MD5 for request signatures (weak for modern cryptographic use); this is a design choice by the service, not necessarily a direct exploit, but worth noting if you require strong cryptographic guarantees. - Operational: ensure you install Pillow/requests in an isolated environment, rotate any invitation keys regularly, and avoid using production or sensitive account credentials with unverified services. - If you need higher assurance, ask the publisher for official docs, a homepage/release page, and a verifiable origin of the API endpoint before using the skill with real data.

Review Dimensions

Purpose & Capability: noteThe code and SKILL.md implement a 2D-image→3D-model workflow that matches the skill name and description. However the registry metadata claims no required environment variables or credentials while the code and documentation clearly require a LUX3D_API_KEY environment variable (a base64 invitation code). The lack of a declared required env var in the metadata is an inconsistency and reduces transparency about what this skill needs.
Instruction Scope: okThe instructions and included client focus on submitting an image, polling for results, and downloading a model. The runtime only accesses the specified image file(s), environment variable LUX3D_API_KEY, and writes the output file. It sends base64-encoded image data to an external API (api.luxreal.ai) which is expected for this functionality. There are no instructions to read unrelated system files, shell history, or other credentials.
Install Mechanism: okThis is an instruction-only skill with an included Python client; there is no install spec that downloads arbitrary code. The SKILL.md recommends installing standard pip packages (Pillow, requests). That is low-risk compared with remote archive downloads. Note: because there's no automated install spec the environment must already have these dependencies or the user must install them manually.
Credentials: concernThe client requires a LUX3D_API_KEY (base64 invitation code containing ak/sk/appuid) to operate. The registry metadata lists no required env vars or primary credential, which is inconsistent and misleading. Apart from that, the set of secrets requested is limited and coherent for an external API client (one API key).
Persistence & Privilege: okThe skill does not request permanent/always-on presence, does not declare elevated platform privileges, and does not modify other skills or system-wide settings. It runs as a normal client invoked by the agent.