openclaw-3d-blender-mcp 安全扫描报告 — 可信 | ClawSafe

5 /100

openclaw-3d-blender-mcp

Instalación completa de Blender MCP para OpenClaw. Incluye setup local/remoto, ngrok, verificación, troubleshooting.

Blender MCP integration skill with clear documentation, legitimate subprocess usage for CLI tools, and standard TCP networking for remote Blender control. No malicious indicators detected.

技能名称openclaw-3d-blender-mcp

分析耗时40.5s

引擎pi

✓

可以安装

This skill is safe to use. All subprocess and network operations are declared in SKILL.md and are necessary for Blender MCP functionality.

安全发现 1 项

严重性	安全发现	位置
低危	Hardcoded ngrok endpoints in test scripts Some test scripts (test_direct.py, mcp_client.py) contain hardcoded ngrok endpoints (8.tcp.ngrok.io:16325). While convenient for testing, these are not documented in SKILL.md. `HOST = '8.tcp.ngrok.io'` → Consider using environment variables for host configuration, or document hardcoded endpoints in SKILL.md	`scripts/test_direct.py:12`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file writes detected
网络访问	`READ`	`READ`	✓ 一致	TCP connections to Blender via ngrok tunnel
命令执行	`WRITE`	`WRITE`	✓ 一致	subprocess.Popen for uvx blender-mcp (documented in SKILL.md)
环境变量	`NONE`	`READ`	✓ 一致	Only reads BLENDER_HOST, BLENDER_PORT, DISABLE_TELEMETRY
技能调用	`NONE`	`NONE`	—	N/A
剪贴板	`NONE`	`NONE`	—	N/A
浏览器	`NONE`	`NONE`	—	N/A
数据库	`NONE`	`NONE`	—	N/A

1 项发现

🔗

中危外部 URL 外部 URL

https://www.youtube.com/watch?v=dxlyCPGCvy8

SKILL.md:20

目录结构

18 文件 · 65.6 KB · 2448 行

Python 13f · 1455L Markdown 3f · 975L Shell 1f · 12L JSON 1f · 6L

├─ ▾ 📁 references

│ ├─ 📝 common_errors.md Markdown 492L · 11.4 KB

│ └─ 📝 coordinate_system.md Markdown 305L · 7.5 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 blender_direct_v2.py Python 96L · 3.1 KB

│ ├─ 🐍 blender_direct.py Python 95L · 2.9 KB

│ ├─ 🐍 blender_wait.py Python 109L · 3.5 KB

│ ├─ 🐍 get_scene_info.py Python 104L · 2.8 KB

│ ├─ 🐍 http_bridge.py Python 111L · 3.2 KB

│ ├─ 🐍 mcp_client_full.py Python 152L · 4.5 KB

│ ├─ 🐍 mcp_client.py Python 77L · 2.1 KB

│ ├─ 🐍 mcp_persistent.py Python 114L · 2.9 KB

│ ├─ 🔧 start-server.sh Shell 12L · 258 B

│ ├─ 🐍 test_direct.py Python 88L · 2.5 KB

│ ├─ 🐍 test_modal.py Python 114L · 2.7 KB

│ ├─ 🐍 test_simple.py Python 66L · 2.3 KB

│ ├─ 🐍 test-connection.py Python 65L · 2.2 KB

│ └─ 🐍 verify_blender_connection.py Python 264L · 7.5 KB

├─ 📋 _meta.json JSON 6L · 296 B

└─ 📝 SKILL.md Markdown 178L · 4.0 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`uvx`	`any`	system	否	CLI tool, not a Python package

安全亮点

✓ All subprocess usage declared in SKILL.md via 'uvx blender-mcp' commands

✓ No credential harvesting or sensitive path access (.ssh, .aws, .env)

✓ No base64 encoding, eval(), or obfuscated code patterns

✓ No curl|bash or wget|sh remote script execution patterns

✓ No hidden instructions in HTML comments or elsewhere

✓ TCP networking is standard for Blender MCP/ngrok tunneling

✓ Environment variables used are relevant to Blender MCP (BLENDER_HOST, BLENDER_PORT, DISABLE_TELEMETRY)

✓ No data exfiltration or C2 communication patterns

✓ Legitimate CLI tool usage (subprocess for uvx blender-mcp)

✓ Well-structured, documented skill with clear purpose