Back to skill
Skillv1.0.4
ClawScan security
3daistudio integration · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 2:42 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose: it requires a single 3daistudio API key, calls the documented 3daistudio endpoints, uploads images (base64) and downloads returned model assets; nothing in the code or instructions requests unrelated credentials or installs arbitrary software.
- Guidance
- This skill appears to do what it says: it sends your API key to 3daistudio and uploads image data (base64) to generate models, then downloads model assets returned by the service. Before installing, confirm you trust https://www.3daistudio.com (review their docs and privacy/security policy) and be aware that: (1) using the skill will consume credits from your account; (2) local images are uploaded to the service; (3) downloaded asset URLs returned by the API are written to disk without content checks—do not open or execute files you don't trust; (4) the repository claims GLB files are ZIPs (that guidance may be inaccurate), so treat conversion instructions with caution. If you need stronger guarantees, consider running the script in an isolated environment (container) and keeping your API key scoped/limited per provider's options.
Review Dimensions
- Purpose & Capability
- okName/description match the code and SKILL.md. The only required secret is THREE_D_AI_STUDIO_API_KEY and the script talks only to https://api.3daistudio.com endpoints for generation, wallet, status, and assets. No unrelated services, binaries, or config paths are requested.
- Instruction Scope
- noteRuntime instructions and the script stay within the stated purpose (submit generation requests, poll status, and download results). Note: the script base64-encodes and uploads local image files and will download the asset URL returned by the API and write it to disk without validating MIME type or sandboxing; this is expected for this use-case but means you should only use it with a trusted API/provider and be cautious about the destination path and automatically executing or opening downloaded files.
- Install Mechanism
- okNo install spec; it's an instruction-only skill with a small Python script that uses only the standard library (urllib, argparse, base64, json). No remote downloads or archives are fetched during installation.
- Credentials
- okOnly one environment variable is required (THREE_D_AI_STUDIO_API_KEY), which is proportionate to the stated API usage. The script does not read other environment variables or credential files.
- Persistence & Privilege
- okThe skill does not request persistent or elevated privileges (always is false). It does not modify other skill configs or system-wide settings. It runs as a normal user process and writes only to the output path specified by the user.