ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai 3d Generator

v1.0.0

Génère automatiquement des modèles 3D paramétriques détaillés en Python/Trimesh à partir de descriptions textuelles, avec export STL optimisé.

0· 785·4 current·4 all-time
byCelluloid@vonzellu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (generate parametric 3D models, export STL) align with the included Python examples and helper scripts; the code uses trimesh and produces STL exports as claimed.
!
Instruction Scope
Runtime instructions and scripts generate Python code via an LLM template and then execute that generated script directly (create temp file + python3). Executing arbitrary code produced by an LLM is necessary for the skill's purpose but grants broad discretion and could be used to run unexpected commands, read/write arbitrary files, or contact networks if the generated code includes such actions. The SKILL.md template and scripts do not explicitly constrain or sandbox the generated code.
Install Mechanism
No install spec (instruction-only) — nothing is downloaded or installed by the skill itself. The presence of code files is low-risk compared to remote installers.
!
Credentials
The skill declares no required env vars, but scripts hardcode absolute paths (/home/celluloid/.openclaw/workspace/stl-exports and /home/celluloid/.openclaw/workspace/venvs/cad/bin/activate). This implicitly requires a specific user environment and a pre-existing virtualenv; sourcing that venv runs whatever is inside it (potentially arbitrary code). The skill also assumes Python + trimesh/numpy are available but does not declare these requirements.
Persistence & Privilege
always is false (normal). SKILL.md suggests creating files under ~/.openclaw/workspace and even provides a sample cron job JSON — the cron is only an example, but scheduling automated runs would increase risk because it enables recurring execution of generated code. The skill does not request elevated privileges nor modify other skills.
What to consider before installing
This skill appears to do what it says (generate 3D models), but it executes Python that is produced by an LLM and sources a hardcoded virtualenv path. Before installing or running: (1) inspect any generated Python scripts before execution, don't run unreviewed code produced by an LLM; (2) avoid using the hardcoded /home/celluloid paths—adjust to your own sandboxed workspace; (3) ensure the referenced virtualenv is trusted (or create an isolated venv yourself) because 'source' will run arbitrary activation code; (4) if you allow automation (cron), run it in a contained environment and not as root; (5) consider running the generator in a sandbox/container and restrict network access to prevent exfiltration. If you want, I can list the exact lines to change to make paths configurable and to add sandboxing checks (e.g., prompt the user for confirmation before executing generated code).

Like a lobster shell, security has layers — review code before you run it.

latestvk972fgcckqsdsc6q5va7gvvh5n81aepm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments