Find Stl
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: find-stl Version: 0.1.0 The skill bundle is benign. The `SKILL.md` provides clear, functional instructions without any prompt injection attempts against the agent. The `scripts/find_stl.py` script exclusively interacts with the legitimate `api.printables.com` endpoint to search for and download 3D model files (STL/3MF/ZIP). File system operations are limited to creating output directories and writing/extracting downloaded files to a user-specified or default local path (`~/models/incoming`), which is consistent with its stated purpose. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed model file listing could overwrite files outside the chosen model folder or place unexpected files on the user's system.
The script uses filenames and archives obtained from Printables and writes/extracts them locally without first validating that resolved paths stay inside the intended output directory or checking archive contents.
name = fobj.get("name") or f"file-{fid}"
out_path = os.path.join(base_dir, "files", name)
download_file(link, out_path)
...
with zipfile.ZipFile(zip_path, "r") as z:
z.extractall(extract_dir)Sanitize downloaded filenames, reject absolute paths and '..' components, resolve and verify every destination path is under the output directory, and inspect ZIP entries before extraction.