ClawHub

Shopprentice

Security checks across malware telemetry and agentic risk

Overview

ShopPrentice appears to be a real Fusion 360 woodworking skill, but it needs review because it installs a local control server that can inspect designs and run Fusion Python scripts without authentication.

Install only if you trust the publisher and want an agent to control Fusion 360 locally. Prefer explicit installer flags for only the client you use, consider skipping MCP unless you need live Fusion execution, stop the Fusion add-in when not in use, and review/clear ~/.shopprentice and temp capture folders if your CAD work is sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (65)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"method": "tools/call",
        "params": {"name": tool, "arguments": args},
    })
    r = subprocess.run(
        ["curl", "-s", "-X", "POST", MCP_URL,
         "-H", "Content-Type: application/json", "-d", payload],
        capture_output=True, text=True, timeout=300,
Confidence
91% confidence
Finding
r = subprocess.run( ["curl", "-s", "-X", "POST", MCP_URL, "-H", "Content-Type: application/json", "-d", payload], capture_output=True, text=True, timeout=300, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
flipped_path = base + "_flipped" + ext
        if not os.path.exists(flipped_path):
            import subprocess
            subprocess.run(["sips", "--flip", "horizontal",
                            image_path, "--out", flipped_path],
                           capture_output=True)
Confidence
88% confidence
Finding
subprocess.run(["sips", "--flip", "horizontal", image_path, "--out", flipped_path], capture_output=True)

Tainted flow: 'MCP_URL' from os.environ.get (line 45, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
"method": "tools/call",
        "params": {"name": tool, "arguments": args},
    })
    r = subprocess.run(
        ["curl", "-s", "-X", "POST", MCP_URL,
         "-H", "Content-Type: application/json", "-d", payload],
        capture_output=True, text=True, timeout=300,
Confidence
94% confidence
Finding
r = subprocess.run( ["curl", "-s", "-X", "POST", MCP_URL, "-H", "Content-Type: application/json", "-d", payload], capture_output=True, text=True, timeout=300, )

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The module-level description explicitly advertises JSON-RPC/MCP capabilities for design introspection, timeline capture, script execution, and screenshots, which materially exceeds the user-facing woodworking/CAD modeling scope. That scope expansion increases attack surface by enabling local automation and data access features that could be abused by any local client able to reach the server, especially in a privileged CAD environment.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code starts a localhost MCP server and registers tools/resources after initializing task, action-log, and session subsystems, while the file header states the server supports script execution and screenshot/introspection features. Even though it binds to localhost, this still exposes sensitive CAD automation capabilities to any local process or browser-assisted local request path, enabling unauthorized command execution, design data access, or capture of user work without being justified by the advertised furniture-modeling function.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The UI explicitly advertises a workflow to capture structural changes made in Fusion and forward them for Claude Code script integration, which is an external data-sharing capability beyond simple local CAD parameter editing. In a CAD/plugin context, captured model structure, design intent, and feature history can contain sensitive proprietary design information, and the page provides no meaningful disclosure, scoping, or consent details about what is collected and transmitted.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
A Claude Code integration/capture feature is exposed in a woodworking modeling add-in without clear justification from the stated purpose, creating a hidden trust-boundary expansion from local modeling to external assistant-assisted code/script updates. That mismatch increases the risk of unauthorized disclosure of design metadata or unintended automation actions, especially where users expect a CAD tool rather than a sync/export client.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The UI explicitly offers a workflow to capture structural changes made in Fusion and send them to an external assistant ('Claude Code'), which extends beyond local parameter editing and rebuild behavior. In a CAD add-in context, this can expose design structure, feature history, and potentially proprietary model details to an external system without a clearly bounded purpose or explicit consent flow.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The text directs users to send captured structural changes to Claude Code, indicating an external assistant integration path not obviously required for furniture model generation. In a woodworking/CAD environment, structural edits may encode sensitive design IP, so undisclosed or weakly justified external transmission increases confidentiality and supply-chain risk.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The palette's refresh path goes beyond UI parameter editing: it patches the tracked script, optionally writes it back to disk, and then re-executes it. That creates a code-modifying/code-executing path from a GUI action, so a malformed or unexpected parameter value can alter script contents and trigger execution with broader effects than a normal parameter change.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code persistently records detailed user command activity and writes it to per-document JSONL files under the user's home directory. For a furniture-modeling skill, this creates an unnecessary telemetry/audit trail that may expose sensitive project names, editing history, and design behavior without any visible consent or retention controls.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This module is designed to capture each user UI action individually and preserve it between agent calls, which is broader than what is obviously required for CAD generation. In context, that creates a surveillance-like capability over user behavior that can reveal workflows and sensitive design activity, especially because the logging is event-driven and continuous once started.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
This package initializer registers a broad set of tools, including script execution, add-in reload, document management, and media-generation capabilities that go beyond the stated furniture-modeling purpose. In an agent skill context, exposing unnecessary capabilities increases attack surface and enables capability creep, making it easier for prompts or downstream logic to trigger sensitive actions unrelated to CAD generation.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
Registering general-purpose script execution and add-in control tools inside a user-facing modeling skill creates a powerful execution surface that can be abused if the agent is manipulated or if tool access controls are weak. Because the declared purpose is furniture modeling, these capabilities are not obviously necessary and materially raise the risk of arbitrary code execution, unauthorized environment changes, or tampering with open documents and the host application.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The tool silently writes a full design capture, including parameters, component structure, body geometry, and timeline data, to a local temp file even though its primary behavior appears to be in-memory inspection and summarization. This creates an undisclosed persistence channel for potentially sensitive CAD/design IP, increasing exposure to other local users, processes, backups, or later collection by unrelated components.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Persisting complete design data to the filesystem is not clearly required for the stated CAD capture workflow and expands the attack surface beyond the active Fusion session. The saved JSON may contain proprietary dimensions, model topology, and feature history that can be recovered later from temp storage, making confidentiality loss more likely even without network exfiltration.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The tool promises to restore the timeline after inspection, but the hidden `no_restore` parameter allows callers to leave the model in a modified timeline state. In a CAD automation context, this can cause subsequent tools to operate on an unexpected partial model state, leading to corrupted outputs, misleading diagnostics, or unintended destructive edits.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The debug path writes detailed model geometry and body metadata to predictable files under `/tmp`, which can expose sensitive design information to other local users or processes on shared systems. Because this is unrelated to the advertised furniture-modeling function and occurs without clear user consent, it creates an unnecessary confidentiality risk.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The code persistently writes `appearance_state.json` to the local project directory, which is a side effect outside the core CAD-generation behavior described for the skill. Even though the content appears to be texture/appearance metadata rather than secrets, undeclared filesystem writes can leak project details, create unwanted artifacts, and violate least-surprise expectations for users running a modeling skill.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This block exports persistent local state unrelated to the desk geometry itself, including body names, texture choices, transforms, and file/image references. In a CAD skill context, such hidden persistence increases risk because it creates non-obvious local artifacts and may expose project structure or asset paths without user awareness.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
This helper performs an external OS command and creates a derivative file as a side effect during normal modeling work, even though the skill is primarily for CAD/furniture generation. In an agent setting, unexpected host-level command execution is more sensitive because user-supplied file paths or reference assets may come from outside the trusted design environment.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The installer makes persistent changes outside simple skill installation: it writes into Claude/Codex skill directories, patches command files, installs a Fusion add-in symlink, and registers MCP servers. Those actions may be expected for integration tooling, but they materially modify the user's local AI and CAD environments beyond just providing furniture-model generation content. In the context of a skill installer, this increases attack surface and trust requirements because a single script gains broad control over multiple developer tools.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
When no flags are provided, the script probes for Claude Code and Codex and then automatically enables installation and MCP setup. Auto-detecting unrelated client environments and proceeding by default can cause unintended configuration changes in tools the user did not explicitly choose to modify. For an installer delivered via shell script, implicit cross-tool modification is risky because users may not realize the full scope before execution.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The installer appends a global hint into ~/.claude/CLAUDE.md so agents will invoke /woodworking in future sessions. Modifying a global assistant guidance file changes model behavior outside the immediate woodworking workflow and persists across tasks, which is a sensitive form of behavioral influence. In skill context, this is more dangerous because it alters agent prompting globally rather than limiting itself to local, user-invoked assets.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The uninstaller modifies files under ~/.claude by deleting a command file, editing the user's global CLAUDE.md, and removing a fusion360 MCP entry from settings.json. Those actions reach beyond uninstalling a Fusion 360 add-in and can remove or alter user/editor configuration, creating unwanted side effects and violating least surprise.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal