Find Stl
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed model file listing could overwrite files outside the chosen model folder or place unexpected files on the user's system.
The script uses filenames and archives obtained from Printables and writes/extracts them locally without first validating that resolved paths stay inside the intended output directory or checking archive contents.
name = fobj.get("name") or f"file-{fid}"
out_path = os.path.join(base_dir, "files", name)
download_file(link, out_path)
...
with zipfile.ZipFile(zip_path, "r") as z:
z.extractall(extract_dir)Sanitize downloaded filenames, reject absolute paths and '..' components, resolve and verify every destination path is under the output directory, and inspect ZIP entries before extraction.