Openclaw 3d Blender MCP

Security checks across malware telemetry and agentic risk

Overview

This Blender MCP setup skill is mostly coherent, but several bundled helper scripts default to hard-coded public ngrok endpoints and can send Blender commands or Python code without clear user control.

Review before installing. Prefer localhost-only setup, replace or remove hard-coded ngrok hosts, avoid running direct remote client scripts unless you own and trust the endpoint, and treat execute_blender_code as full Blender Python execution that can change scenes and access whatever Blender can access.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (18)

Tainted flow: 'env' from os.environ.get (line 125, credential/environment) → subprocess.Popen (code execution)

Medium

Category: Data Flow
Content: def run_mcp_command(mcp_path, env, method, params, timeout=10): """Send command to MCP server and get response""" mcp = subprocess.Popen( [mcp_path], stdin=subprocess.PIPE, stdout=subprocess.PIPE,
Confidence: 82% confidence
Finding: mcp = subprocess.Popen( [mcp_path], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, env=env, bufsize=1

Lp3

Medium

Category: MCP Least Privilege
Confidence: 80% confidence
Finding: The skill instructs use of shell commands, network connectivity, MCP integration, environment variables, and file/script access, yet it declares no permissions. That mismatch can cause users or hosting platforms to authorize behavior they were not clearly warned about, increasing the chance of unsafe execution in environments with broader access than expected.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The documented purpose is installation/setup guidance, but the behavior described by analysis includes operational control of Blender, remote code execution via execute_blender_code, and network-exposed access paths. This kind of description-behavior gap is dangerous because users may trust the skill as a benign setup helper while it actually enables live scene manipulation and potentially remote command execution against Blender.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The file header states this is a direct client that talks to a Blender addon over TCP, which materially exceeds the stated skill purpose of installation, setup, verification, and study of resources. This mismatch is dangerous because users may run the script expecting local setup assistance while it actually enables remote scene-control actions against a network endpoint.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The script connects to a hard-coded ngrok TCP endpoint and forwards arbitrary command types and JSON parameters supplied on the command line. That creates an unbounded remote command channel to a third-party host, which can manipulate Blender scenes or trigger unintended addon behavior, and the hard-coded tunnel obscures where user data and commands are being sent.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The script is hard-coded to connect to an ngrok-exposed external endpoint and send generic command objects, which materially expands the skill from setup/documentation into remote control capability. In the context of a Blender MCP environment, this can enable unintended remote operations against a live Blender instance and creates a trust boundary crossing not reflected in the skill description.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The CLI accepts any command name and arbitrary JSON parameters, then forwards them directly to the remote Blender endpoint without validation or restriction. If the remote addon supports powerful actions, this becomes a generic remote action primitive that can be abused to manipulate files, scenes, or automation workflows beyond the stated installation/setup purpose.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script hard-codes an external ngrok endpoint and immediately connects to it, which creates remote network access outside the local Blender environment. In this skill context, the command requests scene information, so users may unintentionally send metadata about their Blender project to a third-party reachable host with no authentication or trust verification shown in the script.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script deliberately invokes the `execute_blender_code` MCP tool with arbitrary Python source, enabling code execution inside Blender. In the context of an installation/setup skill, this is broader than necessary and especially risky because the default target is a remote ngrok endpoint, expanding the blast radius from local automation to remote code execution against a Blender-connected environment.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The remote setup tells users to expose Blender through ngrok but does not clearly warn that this publishes access to a service that can control the Blender instance and potentially execute actions remotely. If misconfigured or discovered by an attacker, the exposed tunnel could allow unauthorized scene changes, abuse of MCP tooling, or broader compromise depending on Blender/plugin capabilities.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Command parameters are serialized and sent over the network to a remote ngrok host without an explicit warning, consent prompt, or data-sensitivity notice. This is risky because users may unknowingly transmit project names, object metadata, scene details, or other sensitive workflow information to an external service.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The script transmits command data to an external ngrok host but provides no meaningful warning, consent prompt, or trust/authentication mechanism for the remote destination. Users may unknowingly send operational data off-machine to a transient public tunnel endpoint, increasing the risk of interception, misuse, or connection to the wrong service.

Missing User Warnings

Low

Confidence: 72% confidence
Finding: The client prints up to 3000 characters of raw server response directly to stdout, which can expose scene details, paths, tokens, or other sensitive data in terminal history or logs. Because the response originates from a remote service, this also increases the chance of leaking unexpected or attacker-controlled content to shared consoles and CI logs.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script opens a network connection to an external host and sends a JSON command without clearly warning the user that scene-related data or metadata may leave the machine. In a Blender MCP setup that can expose project contents, this omission increases the risk of unintended disclosure, especially because ngrok endpoints are public-facing and ephemeral.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script connects to a hard-coded external ngrok endpoint and sends JSON-RPC command data over a raw TCP socket without any explicit user consent, destination validation, or transport security. In the context of a Blender MCP client for local/remote control, this is risky because users may believe they are interacting with a local tool while their commands and scene-related data are being sent to a third-party tunnel endpoint that can change ownership or exposure over time.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script executes a remote Blender tool capable of running Python automatically and without any user warning, approval, or trust validation. Given the default configuration points to `8.tcp.ngrok.io`, this can cause silent execution of code on or via a remotely exposed Blender service, which is substantially more dangerous than local-only setup verification.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script initiates a raw TCP connection to an external ngrok endpoint and exchanges command/response data without any user warning, trust validation, or transport authentication. In this skill’s context, the script is explicitly intended to connect Blender/MCP services over the internet, which increases the chance that scene data, metadata, or future commands are sent off-host to an endpoint the operator may not fully control.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The verification routine executes Blender code that modifies the current scene by creating an object without explicit consent, temporary scene isolation, or cleanup. In a creative tool context, silent scene mutation can damage user work, pollute project state, and persist unexpected artifacts in saved files; this is more concerning here because the script is presented as a simple connectivity check.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal