ClawHub

Build123d Cad

Security checks across malware telemetry and agentic risk

Overview

This is a coherent CAD skill, but it should be reviewed because it runs local Python CAD scripts with weak isolation and can write exported files outside the documented output folder.

Install only if you are comfortable with the agent running locally generated Python for CAD work. Review generated scripts and filenames before execution, avoid untrusted CAD scripts, and prefer running this skill in a separate sandboxed workspace or container if sensitive files or credentials are present.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Tainted flow: 'clean_env' from os.environ.get (line 108, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
clean_env["PATH"] = f"{venv}/bin:{clean_env['PATH']}"

        try:
            proc = subprocess.run(
                [sys.executable, str(script_path)],
                capture_output=True, text=True,
                timeout=timeout, cwd=tmpdir, env=clean_env,
Confidence
88% confidence
Finding
proc = subprocess.run( [sys.executable, str(script_path)], capture_output=True, text=True, timeout=timeout, cwd=tmpdir, env=clean_env,

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The module docstring makes strong security claims about a 'clean environment' and sandboxing, but the implementation passes through host PATH and may propagate VIRTUAL_ENV. In a skill designed to execute user-supplied Python, overstating isolation is dangerous because it can lead maintainers to rely on weak controls and miss realistic escape or information-leak avenues.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README explicitly states that the skill generates CAD outputs from Python scripts using the `exec` tool, and later says all scripts accept valid build123d Python. Because build123d script input is full Python rather than a constrained DSL, this creates an arbitrary code execution path in the agent environment, not merely CAD generation; a malicious or prompt-injected script could read files, access credentials, or modify the workspace. In this skill context, that is especially dangerous because the agent is expected to synthesize and execute code on behalf of users.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file directly interpolates user-controlled Python source into a script that is then executed in a subprocess. Although the docstring says it runs "All in subprocess" and calls a helper named run_sandboxed, this file provides no visible validation, restriction, or user disclosure, so arbitrary code execution is being intentionally enabled and the safety of the entire feature depends on the sandbox being perfect. In a CAD skill, accepting executable model scripts is part of the product design, but that context also means untrusted code is a routine input path, increasing the importance of strong isolation and clear warnings.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal