Skillv1.0.0

ClawScan security

rodin3d-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 13, 2026, 6:59 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely implements what it claims (image/text → 3D via Hyper3D), but there are mismatches and a few risky/incoherent choices (undeclared required API key, a documented shared 'free' API key, and minor privacy/leakage behaviors) that warrant caution before installing.
Guidance: This skill appears to implement the advertised Hyper3D / Rodin Gen-2 functionality, but there are a few red flags you should consider before using it: - The skill requires a HYPER3D_API_KEY (used by the code) but the registry metadata doesn't list it — assume the API key is required and should be provided only by you. - The SKILL.md suggests a shared free key value ('vibecoding'). Do NOT use a public/shared API key unless you understand who owns it, what limits and billing apply, and whether its use is authorized — using someone else's key can lead to unexpected charges or abuse of your account. - The generate script prints parts of your API key and logs input parameters to the console. That can leak secrets or sensitive prompts into logs. If you run this, do so in a trusted, private environment and consider modifying the script to avoid printing key substrings and sensitive inputs. - If you plan to run the code: inspect the three Python files locally (they are short), run in an isolated environment (virtualenv/container), and do not commit any .env or key to version control. Verify the api.hyper3d.com domain and the API behavior against official Hyper3D documentation if available. - If you are unsure about the origin or authorization of the 'vibecoding' key, contact Hyper3D or obtain your own API key. If these issues are acceptable and you will supply your own API key and avoid using shared credentials, the skill is likely usable; otherwise treat it cautiously or request a corrected metadata declaration and removal of the shared-key recommendation.

Review Dimensions

Purpose & Capability: noteThe code and SKILL.md implement a Hyper3D Rodin Gen-2 client that submits jobs, polls status, and downloads results, which matches the name/description. However, the registry metadata lists no required environment variables while the SKILL.md and code require HYPER3D_API_KEY — this metadata omission is an inconsistency that should be corrected.
Instruction Scope: concernInstructions and scripts are narrowly scoped to submitting jobs, polling, and downloading from api.hyper3d.com (expected). Concerns: the documentation recommends a hardcoded 'free' API key value ('vibecoding') as a fallback, which encourages use of a shared key of unknown origin/authorization. The generate script prints portions of an environment API key (env_api_key[:5]...env_api_key[-5:]) to the console and logs input parameters before calling the API — these behaviors can expose secret material or user data in logs and should be avoided or made optional.
Install Mechanism: okNo install script/downloads; requirements.txt lists only requests and Pillow. Provided code files are local and standard. No unusual network installs or remote archive extraction were observed.
Credentials: concernThe only credential used is HYPER3D_API_KEY, which is appropriate for this API client — but the skill's registry metadata declares no required env vars (mismatch). Additionally, recommending a public/shared 'vibecoding' API key in the docs is disproportionate and potentially abusive (it may exceed intended use/billing or be unauthorized). The code's partial printing of API key values risks leaking credentials via console output/logs.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills or system-wide settings, and only writes model output files to user-specified output directories. It suggests saving the key to a local .env file (user action) which is normal for CLI tools.