Skillv1.0.0

ClawScan security

Bambu Lab 3D Printer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 1, 2026, 4:06 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match a Bambu printer CLI workflow, but the package install and provenance are underspecified and there are small-but-important mismatches (no declared runtime binaries, no homepage/source, and it asks you to install a global npm package that could run arbitrary code).
Guidance: Before installing or allowing an agent to use this skill: 1) Verify the npm package publisher and source for @versatly/bambu (check npmjs.com, the package's repository, and recent release history). Do not run a global npm install of an untrusted package. 2) Ensure Node and npm are installed and the metadata is updated to declare those requirements. 3) Inspect the package code (or its Git repo) before installing, or run the CLI in an isolated VM/container or on a network segment that cannot reach sensitive hosts. 4) Be aware the CLI will store the printer IP/serial/LAN access code in ~/.bambu/config.json — restrict file permissions and consider encrypting or managing that secret carefully. 5) Test only read-only commands first (status, ams, temp) to verify behavior. 6) Do not grant unsupervised autonomous agent control of a physical printer; require explicit user confirmation before any command that heats, moves, or executes raw G-code. If you want a lower-risk setup, manually install a vetted CLI client from an official Bambu source or run the workflow from a controlled environment.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose (local control of Bambu Lab printers) aligns with the commands and workflows in SKILL.md. However the metadata lists no required binaries while the README explicitly requires installing a global npm CLI (@versatly/bambu) and therefore requires Node/npm; that mismatch is an unexplained omission. Also there is no source/homepage or publisher info for the referenced npm package, so provenance is unclear.
Instruction Scope: okSKILL.md is focused on printer control only (status, print jobs, AMS, temps, fans, lights, movement, file management). It does not instruct reading unrelated system files or exfiltrating data. It does instruct storing printer credentials (IP, serial, LAN access code) in ~/.bambu/config.json, which is expected for local control but is sensitive and worth protecting.
Install Mechanism: concernThere is no install spec in the registry entry, but SKILL.md tells users to run `npm i -g @versatly/bambu`. A global npm install runs unreviewed code on the host and can be high risk if the package/publisher is untrusted. The skill also fails to declare required runtime binaries (node/npm), which is an inconsistency. Because there is no homepage/source provided, the package origin cannot be verified from the registry metadata.
Credentials: noteThe skill requests no cloud credentials or extra environment variables, which is proportionate. It does require local printer credentials (LAN access code, IP, serial) and stores them in ~/.bambu/config.json — reasonable for the function but sensitive. Users should ensure the config file permissions are restrictive and understand that the CLI will use local network (MQTT/FTP) to talk to hardware.
Persistence & Privilege: notealways:false (default) and no install spec that modifies other skills or system settings. The CLI will create a config in the user's home when run; that is normal. Be aware that the skill enables physical control (heating, movement, raw G-code) which can be dangerous if run autonomously without supervision — autonomous invocation itself is normal but combine with hardware control it increases risk to physical equipment and safety.