Back to skill
Skillv1.0.2
ClawScan security
混元生3D模型能力 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 6, 2026, 4:06 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested environment access are consistent with a Tencent Hunyuan 3D generation client and don't request unrelated permissions or install arbitrary software.
- Guidance
- This skill appears to be a straightforward client for Tencent's Hunyuan 3D OpenAI-compatible API. Before installing/use: (1) Understand that running the script will send your prompts and any provided image URLs along with your HUNYUAN_3D_API_KEY to Tencent's api.ai3d.cloud.tencent.com service — only provide an API key you trust to be used for this purpose. (2) The script will download model artifacts to disk (./models by default); ensure you trust the sources of any image URLs you pass. (3) Storing the API key in shell startup files makes it persistent on that account — treat it like a secret and rotate/revoke it if compromised. (4) Review the bundled script if you want assurance (it's short and readable). If you need additional assurance, request provenance for the skill (author/source) or run it in an isolated environment.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, and the included Python script all describe a 3D generation client using an OpenAI-compatible Tencent Hunyuan 3D API. Required binary (python) and required env var (HUNYUAN_3D_API_KEY) are appropriate and expected.
- Instruction Scope
- okRuntime instructions tell the agent to set an API key env var and run the provided script which submits jobs, polls status, and downloads results. The instructions do not request reading unrelated files, other credentials, or exfiltrating data to any endpoint beyond the documented Tencent API and model-result URLs.
- Install Mechanism
- okNo install spec — instruction-only with a small bundled script. No external archives or unusual download/install steps are present.
- Credentials
- okOnly a single API key (HUNYUAN_3D_API_KEY) is required; that aligns with the documented OpenAI-compatible API Key authentication and is proportional to the skill's functionality.
- Persistence & Privilege
- okSkill is not forced-always, uses normal autonomous invocation defaults, and does not request persistent system-wide configuration changes or permissions beyond writing its own output files.