Blender 3D: why it is not safe to use
Blender 3D scored 58/100 (warn): it exposes an arbitrary-Python execution tool and ingests third-party asset text, creating an injection-to-execution path.
What we found
Blender 3D (`ahujasid/blender-mcp`) is open-source, readable Python with no packed code and no hardcoded secrets, and it reads only its own configured API keys. It scored 58/100 with a warn verdict on our scan.
Our main concern is the `execute_blender_code` tool, which runs arbitrary Python inside Blender on your machine. The project's own README calls this feature potentially dangerous and advises saving your work first. The skill also ingests asset metadata from third parties (Sketchfab, Poly Haven, Rodin) and returns Blender scene text back to the model. Combined with that code-execution tool, untrusted text could steer the model toward running code you did not intend.
We also noted optional data flows: documented telemetry (which you can disable) and prompts or assets sent to generation APIs such as Hyper3D/Rodin and Hunyuan3D when those features are used. Any Python it runs carries your local user account's privileges.
What to do instead
If you use it, run it on a non-sensitive account or a sandbox, disable telemetry, and avoid the AI-generation and remote-asset features when working with confidential scenes. Review what `execute_blender_code` is asked to run before approving it.
Source: https://github.com/ahujasid/blender-mcp
We report what our security review found at the time we checked, with the goal of keeping people safe. Projects change; if a maintainer has since fixed this, we are glad to recheck it. Email hello@agentpod.com.