ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Build123d Cad

v1.1.2

Parametric 3D CAD via build123d. Generate STEP, STL, SVG from Python scripts. Use when the user asks to design, model, create, or export 3D parts, enclosures...

1· 244·0 current·0 all-time
by@wngfra
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (parametric CAD via build123d) matches the actual code and runtime behavior: the scripts generate STEP/STL/SVG, measure geometry, create sections, and validate assemblies. The only declared binary is python3, which is appropriate. No unrelated credentials, config paths, or extraneous binaries are requested.
Instruction Scope
SKILL.md instructs creating a virtualenv and installing build123d (expected). Runtime instructions and script APIs are narrowly scoped to CAD tasks. The runtime inserts user code into sandboxed Python scripts and runs them; the helper enforces a static whitelist/blacklist on the user-submitted code. Note: the sandboxing is implemented via static regex checks and import whitelisting on the user code slice — this limits many risky operations, but static checks are not a perfect guarantee against creative escapes.
Install Mechanism
There is no automated install spec (instruction-only). SKILL.md asks the user to create a venv and pip install build123d — a normal, low-risk approach but it does require outbound network access to PyPI (or other configured pip sources). No downloads from untrusted URLs or archive extraction are present in the skill bundle itself.
Credentials
The skill requires no credentials or config paths. The helper runtime purposely constructs a small clean environment for subprocesses (PATH, HOME set to tmpdir, TMPDIR, PYTHONDONTWRITEBYTECODE, and explicit _RESULT_PATH/_WORKSPACE). One subtlety: if the parent process has VIRTUAL_ENV set, run_sandboxed propagates VIRTUAL_ENV and prefixes PATH with that venv — this is practical for ensuring the venv's Python is used but means the subprocess will run with whatever packages are available in that venv; ensure the venv used is the intended one.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system-wide privileges. It writes output artifacts to a workspace directory (~/.openclaw/workspace/cad-output by default) and manages its own temp files. It does not modify other skills or global agent config.
Assessment
This skill appears coherent and implements a sandbox to run user-provided build123d scripts. Before installing, consider: (1) you will need to create a Python venv and pip-install build123d (outbound network access to PyPI); (2) the sandbox uses regex-based static checks to block dangerous imports/patterns — helpful but not a formal proof against creative escapes, so avoid running it in an environment containing sensitive credentials or production venvs; (3) the helper will inherit VIRTUAL_ENV if your agent is running inside a venv, so create and activate a dedicated venv for this skill to ensure the subprocess runs with the intended packages; (4) exported artifacts are written to your workspace (~/.openclaw/workspace/cad-output by default), so check that path if you want to restrict where files are created. If you need stronger guarantees, review/modify the validate_script rules or run the scripts in an isolated environment (container/VM) before enabling for autonomous use.

Like a lobster shell, security has layers — review code before you run it.

latestvk979hmpsber7pmfbhe3pyc6y7183cepc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔧 Clawdis
Binspython3

Comments