Back to skill
Skillv1.0.0
ClawScan security
Kiln · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 7:19 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements, runtime instructions, and declared environment variables are coherent with a 3D-printer control/design tool; nothing requests unrelated credentials or hidden installs, though installing the upstream PyPI package and granting network/camera access carry expected operational risks.
- Guidance
- This skill appears coherent for controlling printers from an AI agent, but before installing or letting an agent use it: 1) Inspect the actual kiln3d PyPI package and GitHub repo (authors, recent commits, signatures) — the SKILL.md points to external code that pip will install. 2) Limit risk by running the package in an isolated environment or VM and on a segregated network (printer LAN) to avoid broad network/camera exposure. 3) Only provide minimal printer API keys and consider read-only or scoped credentials where supported. 4) Review any camera/capture behavior for privacy. 5) Verify claims (e.g., Craftcloud outsourcing, signed releases) against the upstream project before trusting automated, unsupervised printing. If you want, I can list concrete checks to perform on the PyPI package and GitHub repo (signatures, maintainers, release artifacts).
Review Dimensions
- Purpose & Capability
- okName/description (3D printer control, model generation, marketplace search, slicing, fleet management) match the SKILL.md and server.json entries. Declared environment variables (printer host, API key, printer type) align with the stated purpose and are minimal. No unrelated credentials or binaries are requested.
- Instruction Scope
- okSKILL.md describes actions an agent would take (install kiln3d, connect to local printers, search marketplaces, slice/queue prints, monitor cameras). Those actions are within the stated domain. The instructions do imply the agent will access printer APIs and camera snapshots — expected for this functionality — and they do not direct reading of unrelated system files or unrelated environment variables.
- Install Mechanism
- noteThe skill is instruction-only in the registry, but SKILL.md tells the user/agent to pip install kiln3d (PyPI) and links to GitHub. Installing from PyPI is typical for Python tools, but it installs third-party code into your environment — validate the PyPI package and repository before installing. There is no packaged install spec in the registry itself.
- Credentials
- okserver.json lists three optional environment variables (printer host, API key, printer type). These are reasonable and proportionate to controlling printers. No extra secrets, cloud credentials, or unrelated tokens are requested.
- Persistence & Privilege
- okThe skill is not force-included (always:false) and is user-invocable; autonomous invocation is permitted (platform default). The skill does not declare system-wide config modification or access to other skills' credentials.