Find Stl

SuspiciousAudited by ClawScan on May 10, 2026.

Overview

The skill largely does what it claims, but its downloader can write or extract provider-supplied files without sufficient path validation, which could let a malicious model package place files outside the intended folder.

Before installing, be aware that the skill contacts Printables and downloads model files to your computer. Use a disposable or clearly scoped output folder, avoid fetching untrusted model IDs, and prefer a version that validates filenames and ZIP contents before writing files.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ConcernHigh Confidence

ASI02: Tool Misuse and Exploitation

What this means

A malicious or malformed model file listing could overwrite files outside the chosen model folder or place unexpected files on the user's system.

Why it was flagged

The script uses filenames and archives obtained from Printables and writes/extracts them locally without first validating that resolved paths stay inside the intended output directory or checking archive contents.

Skill content

name = fobj.get("name") or f"file-{fid}"
out_path = os.path.join(base_dir, "files", name)
download_file(link, out_path)
...
with zipfile.ZipFile(zip_path, "r") as z:
    z.extractall(extract_dir)

Recommendation

Sanitize downloaded filenames, reject absolute paths and '..' components, resolve and verify every destination path is under the output directory, and inspect ZIP entries before extraction.