CAD Editor
PassAudited by VirusTotal on May 1, 2026.
Overview
Type: OpenClaw Skill Name: cad-editor Version: 1.0.0 The CAD Editor skill bundle implements a workflow where natural language is converted into Python scripts that are subsequently executed to generate DXF and image files. A significant security risk is identified in SKILL.md, which explicitly instructs the AI agent to use 'exec(script_code)' to run generated logic, creating a high potential for Remote Code Execution (RCE) if the input is not strictly sandboxed. While the underlying Python modules (e.g., scripts/nl_parser/script_generator.py and scripts/core/renderer.py) appear to be legitimate CAD utilities using ezdxf and matplotlib, the architectural choice to execute dynamically generated code based on user prompts is a major vulnerability.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A faulty or unexpectedly generated script could affect local files or the Python environment, even though the provided artifacts show intended CAD output behavior.
The skill's disclosed workflow executes generated Python to create CAD output. This is central to the stated purpose, but it runs with the local Python process's permissions rather than an explicit sandbox.
script_code = gen.generate(intent, params) ... exec(script_code)
Run the skill in a project workspace or virtual environment, keep output paths explicit, and review generated scripts if they contain unusual imports, file operations, shell calls, or network access.
Different package versions may change behavior or introduce dependency risk in the user's Python environment.
The skill asks users to install required CAD/rendering dependencies without pinning versions. The packages are purpose-aligned, but unpinned installs can change over time.
安装命令:`pip install ezdxf matplotlib numpy`
Install dependencies in a virtual environment and pin known-good versions if the skill will be used for repeatable or production workflows.