ClawHub

OpenClaw 3D建模与模型处理 SuperSkill V1.0.0

Security checks across malware telemetry and agentic risk

Overview

This 3D modeling skill is mostly purpose-aligned, but it can read, write, batch-create, and automatically overwrite local files without clear path limits or confirmation.

Install only if you are comfortable with the skill reading model directories and writing or overwriting files you specify. Use it in a dedicated workspace/output folder, avoid pointing it at important directories, and review paths carefully before running conversion, export, screenshot, or batch operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill advertises export, screenshot saving, and batch processing capabilities, but does not clearly warn that these operations may create, overwrite, or bulk-modify local files. In an agent setting, unclear file-write semantics can lead to unintended data loss, overwriting of user assets, or large-scale filesystem changes when the skill is invoked automatically or ambiguously.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill performs numerous file creation/export operations based on caller-supplied paths and filenames without any confirmation, path restrictions, or safe-write policy. In an agent context, this can overwrite or create files on the host unexpectedly, especially because some code paths write directly to arbitrary output locations rather than confining writes to the skill output directory.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide explicitly states that same-named output files are overwritten automatically, creating a real risk of unintended data loss or destructive file replacement when users supply an existing path. In a skill that performs file import/export, conversion, rendering, and batch processing, this behavior can silently destroy prior work or overwrite important artifacts if paths are reused or constructed incorrectly.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list includes broad generic phrases such as '格式转换', '模型处理', and '3D打印', which can cause the skill to activate on unrelated user requests that merely mention common 3D topics. In an agent environment, overbroad activation can expose file-processing capabilities unexpectedly, increasing the chance of unintended file access, conversion, rendering, or batch operations without clear user intent.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill documentation advertises import/export, batch conversion, output generation, and screenshot saving, all of which imply reading from and writing to user-controlled paths, but it provides no explicit warning about file overwrite, sensitive file exposure, directory scope, or safe output locations. In an autonomous agent setting, this omission raises the risk that a user or upstream workflow invokes destructive or privacy-impacting file operations without informed consent or boundary checks.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The batch-processing feature performs bulk reads from a caller-specified directory and writes many derived files to a caller-specified output directory with no path restrictions, quota checks, overwrite protection, or user confirmation. In an agent context, this increases the risk of unintended filesystem modification, disk consumption, and overwriting user data if untrusted parameters are supplied.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The direct export operation writes to a fully caller-controlled path via mesh.export(output_file) without any validation or confinement to a safe directory. In an agent execution environment, this can be abused to overwrite arbitrary writable files, create files in sensitive locations, or unexpectedly modify the host filesystem.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal