Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Bambu Lab 3D Printer
v1.0.0Control Bambu Lab 3D printers (H2D, X1C, P1S, A1) via CLI. Print management, AMS filament control, temperature, fans, lights, calibration, file management, a...
⭐ 2· 449·0 current·0 all-time
by@g9pedro
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (local control of Bambu Lab printers) aligns with the commands and workflows in SKILL.md. However the metadata lists no required binaries while the README explicitly requires installing a global npm CLI (@versatly/bambu) and therefore requires Node/npm; that mismatch is an unexplained omission. Also there is no source/homepage or publisher info for the referenced npm package, so provenance is unclear.
Instruction Scope
SKILL.md is focused on printer control only (status, print jobs, AMS, temps, fans, lights, movement, file management). It does not instruct reading unrelated system files or exfiltrating data. It does instruct storing printer credentials (IP, serial, LAN access code) in ~/.bambu/config.json, which is expected for local control but is sensitive and worth protecting.
Install Mechanism
There is no install spec in the registry entry, but SKILL.md tells users to run `npm i -g @versatly/bambu`. A global npm install runs unreviewed code on the host and can be high risk if the package/publisher is untrusted. The skill also fails to declare required runtime binaries (node/npm), which is an inconsistency. Because there is no homepage/source provided, the package origin cannot be verified from the registry metadata.
Credentials
The skill requests no cloud credentials or extra environment variables, which is proportionate. It does require local printer credentials (LAN access code, IP, serial) and stores them in ~/.bambu/config.json — reasonable for the function but sensitive. Users should ensure the config file permissions are restrictive and understand that the CLI will use local network (MQTT/FTP) to talk to hardware.
Persistence & Privilege
always:false (default) and no install spec that modifies other skills or system settings. The CLI will create a config in the user's home when run; that is normal. Be aware that the skill enables physical control (heating, movement, raw G-code) which can be dangerous if run autonomously without supervision — autonomous invocation itself is normal but combine with hardware control it increases risk to physical equipment and safety.
What to consider before installing
Before installing or allowing an agent to use this skill: 1) Verify the npm package publisher and source for @versatly/bambu (check npmjs.com, the package's repository, and recent release history). Do not run a global npm install of an untrusted package. 2) Ensure Node and npm are installed and the metadata is updated to declare those requirements. 3) Inspect the package code (or its Git repo) before installing, or run the CLI in an isolated VM/container or on a network segment that cannot reach sensitive hosts. 4) Be aware the CLI will store the printer IP/serial/LAN access code in ~/.bambu/config.json — restrict file permissions and consider encrypting or managing that secret carefully. 5) Test only read-only commands first (status, ams, temp) to verify behavior. 6) Do not grant unsupervised autonomous agent control of a physical printer; require explicit user confirmation before any command that heats, moves, or executes raw G-code. If you want a lower-risk setup, manually install a vetted CLI client from an official Bambu source or run the workflow from a controlled environment.Like a lobster shell, security has layers — review code before you run it.
latestvk97arh41643qgbft0qdczdarx9822hnh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.