Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
CAD Editor
v1.0.0CAD制图编辑器 — 用自然语言生成工程图纸(建筑平面图/机械零件/电气布置/管道系统/结构详图)。 支持DXF文件创建、渲染预览、批量导出。触发词:画平面图、CAD、工程图、建筑图、机械图、电气图、 管道图、结构图、画线/圆/矩形/多边形、尺寸标注、DXF、AutoCAD、施工图、配筋图、齿轮、轴承、 阀门、弯...
⭐ 0· 25·0 current·0 all-time
by波动几何@wangjiaocheng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (natural-language → DXF/PNG/SVG/PDF CAD generation) matches the shipped Python modules (NL parser, script generator, templates, renderer) and the declared Python dependencies (ezdxf, matplotlib, numpy). The provided templates and entity tool modules align with the stated CAD domains (architectural, mechanical, electrical, piping, structural).
Instruction Scope
Runtime instructions explicitly tell the agent to generate Python source (script_code) and run it via exec(script_code) or write+execute a temp file. Executing generated Python gives the skill broad ability to perform file I/O and arbitrary computation within the agent environment; this is functionally required for a code-generation-based CAD skill but increases runtime risk. The SKILL.md references only local files (intent_templates.json, scripts/*) and rendering output; there are no instructions to contact external endpoints or read unrelated system config or environment variables.
Install Mechanism
No install spec is present (skill metadata lists it as instruction-only), yet the package includes ~50 Python files that will be imported/executed at runtime. Dependencies are listed as pip packages (ezdxf, matplotlib, numpy) but no automated installer is provided. This is coherent but means the agent/runtime must already have or install these packages; lack of an install step may cause runtime attempts to pip-install or fail. No downloaded remote archives or external installers were observed in the files reviewed.
Credentials
The skill requires no environment variables, no credentials, and does not request access to unrelated config paths. That is proportionate to a local CAD generator which operates on provided inputs and writes DXF/preview files.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges. It writes output files (DXF/PNG/SVG/PDF) to local paths as expected for its purpose; no evidence that it modifies other skills or agent-wide settings.
Assessment
This package appears to be a legitimate CAD generator, but take these precautions before running it: (1) Review the script_generator and any template files (script_generator.py, intent_classifier.py, param_extractor.py) to ensure generated code is what you expect — the runtime uses exec(script_code) which can run arbitrary Python. (2) Run the skill in an isolated environment (container or sandbox) with limited filesystem access if possible, because it writes DXF/preview files to disk. (3) Ensure dependencies (ezdxf, matplotlib, numpy) are installed from trusted package indexes. (4) If you plan to use on sensitive hosts, search the remaining omitted files for any network calls or subprocess usage; if none exist, the blast radius is limited to local file I/O. If you want higher assurance, provide the full script_generator.py and any remaining files for review or run the skill first on non-production data/machine.Like a lobster shell, security has layers — review code before you run it.
latestvk97858e5qdx0evgdwbcr64vgpn84x6ys
License
MIT-0
Free to use, modify, and redistribute. No attribution required.