Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Shop Prentice
v1.0.0Generates parametric Fusion 360 Python scripts to model furniture with component-based, feature-driven, interference-free, and joinery-accurate designs.
⭐ 0· 49·0 current·0 all-time
by@ylzha
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (parametric Fusion 360 Python scripts) aligns with the content: SKILL.md and the included woodworking docs provide modeling rules, templates, and MCP integration. No unrelated cloud credentials or unrelated binaries are requested.
Instruction Scope
The runtime instructions direct installing a ShopPrentice Fusion 360 add-in and using a local MCP server (http://localhost:9100). They reference local paths (e.g., ~/.shopprentice/hardware), call out commands like curl | bash to install code, and instruct the agent to interact with Fusion 360 internals (capture_design, execute_script, get_selection). These actions reach into the user's machine and Fusion environment and are not limited to generating code text; they could cause the agent or a human to execute installers and run code locally.
Install Mechanism
The registry contains no formal install spec but SKILL.md instructs running a remote installer via curl -sSL https://raw.githubusercontent.com/ShopPrentice/shopprentice/main/install.sh | bash. While raw.githubusercontent.com is a common host, piping a remote script directly to bash is high‑risk: the installer will execute arbitrary commands on the user's machine and may install a persistent service. The skill does not embed or declare the installer, so the registry can't be used to audit it.
Credentials
The skill does not request environment variables or external credentials (none declared), which is proportionate. However, the instructions assume the ability to install an add-in, create files under ~/.shopprentice, and open/use a localhost MCP endpoint — implicit local filesystem and Fusion 360 application privileges not reflected in registry metadata.
Persistence & Privilege
The skill itself is instruction-only and not marked always:true, but it explicitly directs installing a Fusion 360 add-in that provides an MCP server and helper library (a persistent component running on localhost). That creates ongoing local persistence and a local network endpoint the agent or other processes could use; the registry metadata does not surface this persistent installation step.
What to consider before installing
This skill appears to do what it says (generate Fusion 360 Python scripts and optionally drive Fusion via an add-in), but it asks you to install and run external code on your machine (a curl | bash installer from raw.githubusercontent.com) and to enable a persistent local add-in that exposes an MCP server on localhost:9100. Before installing or following its instructions: 1) Inspect the install.sh and the GitHub repo yourself (don’t pipe blindly to bash). 2) Verify the repository owner and recent commit history to ensure the project is legitimate. 3) Prefer running generated scripts manually in Fusion's Script Manager rather than installing the add-in if you want to avoid persistent services. 4) If you need the add-in, run the installer in an isolated environment (VM) or sandbox first and review what files/services it creates (especially ~/.shopprentice and any daemon/listener). 5) Be aware that installing the add-in grants it access to your local Fusion documents and filesystem; no cloud credentials are requested by the skill, but local access is required for the live execution features. If you share sensitive Fusion documents or work on sensitive IP, audit the add-in code prior to installation or avoid the optional install and use the skill only to generate scripts for manual review and execution.Like a lobster shell, security has layers — review code before you run it.
latestvk97065rcha0j15sjbzpz5rkx7183jr27
License
MIT-0
Free to use, modify, and redistribute. No attribution required.