Bambu Studio Ai

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent for Bambu printer automation, but it includes high-impact printer control and background monitoring paths that need closer review before installation.

Review this skill carefully before installing if you do not want an agent to control physical printer hardware. Prefer manual Bambu Studio printing, disable or avoid raw G-code use, require explicit opt-in before monitoring or auto-pause, and treat access codes, Bambu cloud credentials, API keys, camera snapshots, and model files as sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (38)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: import subprocess, shlex msg_safe = message.replace("\\", "\\\\").replace('"', '\\"') title_safe = title.replace("\\", "\\\\").replace('"', '\\"') subprocess.run([ "osascript", "-e", f'display notification "{msg_safe}" with title "Bambu Studio AI" subtitle "{title_safe}"' ], timeout=5, capture_output=True)
Confidence: 83% confidence
Finding: subprocess.run([ "osascript", "-e", f'display notification "{msg_safe}" with title "Bambu Studio AI" subtitle "{title_safe}"' ], timeout=5, capture_output=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: print(f"📸 Capturing from RTSP stream ({ip}:322)...") try: import subprocess result = subprocess.run( ["ffmpeg", "-y", "-update", "1", "-rtsp_transport", "tcp", "-i", f"rtsps://bblp:{ac}@{ip}:322/streaming/live/1", "-frames:v", "1", out],
Confidence: 87% confidence
Finding: result = subprocess.run( ["ffmpeg", "-y", "-update", "1", "-rtsp_transport", "tcp", "-i", f"rtsps://bblp:{ac}@{ip}:322/streaming/live/1", "-frames:v", "1"

subprocess module call

Medium

Category: Dangerous Code Execution
Content: f.write(script) try: subprocess.run( [blender_path, "--background", "--python", script_file], capture_output=True, timeout=120, )
Confidence: 91% confidence
Finding: subprocess.run( [blender_path, "--background", "--python", script_file], capture_output=True, timeout=120, )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: msg_safe = message.replace("\\", "\\\\").replace('"', '\\"') title_safe = title.replace("\\", "\\\\").replace('"', '\\"') subprocess.run(["osascript", "-e", f'display notification "{msg_safe}" with title "🖨️ {title_safe}"'], capture_output=True, timeout=5) except Exception:
Confidence: 85% confidence
Finding: subprocess.run(["osascript", "-e", f'display notification "{msg_safe}" with title "🖨️ {title_safe}"'], capture_output=True, timeout=5)

Tainted flow: 'url' from requests.post (line 575, network input) → requests.get (network output)

Medium

Category: Data Flow
Content: suffix = ext break try: r = requests.get(url, timeout=30) r.raise_for_status() content_type = r.headers.get("content-type", "") if "png" in content_type:
Confidence: 96% confidence
Finding: r = requests.get(url, timeout=30)

Tainted flow: 'url' from requests.post (line 308, network input) → requests.get (network output)

Medium

Category: Data Flow
Content: last_err = None for attempt in range(1 + retries): try: r = requests.get(url, stream=True, timeout=timeout) r.raise_for_status() expected_size = int(r.headers.get("Content-Length", 0)) or None written = 0
Confidence: 93% confidence
Finding: r = requests.get(url, stream=True, timeout=timeout)

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The manifest claims all printer operations and monitoring require explicit user consent, but later workflow text enables automatic background print-state listening and heartbeat checks after opening a model. This inconsistency can lead to silent monitoring of local devices without a clear opt-in, undermining user expectations and consent.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The report explicitly recommends reverse-engineering undocumented third-party APIs using interception tools like mitmproxy or Wireshark and bearer tokens. This can expose user credentials, session tokens, and private account traffic, and it encourages behavior that may violate platform terms and create legal and privacy risk outside the skill's legitimate purpose.

Context-Inappropriate Capability

Medium

Confidence: 78% confidence
Finding: This section proposes uploading user STL files to a third-party service for geometric search, which transmits user-supplied models off-device. For 3D models, that can disclose proprietary designs, unreleased product geometry, or personally sensitive content, and the capability is not clearly necessary for printer-control functionality.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The module is documented as an analyzer, but it conditionally modifies meshes and writes multiple derived files such as oriented, simplified, cleaned, scaled, and repaired outputs. In an agent setting, that mismatch is security-relevant because users or orchestrators may grant it read-only trust while it actually performs filesystem writes and destructive transformations on untrusted input.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The comment says analysis runs on the original mesh, but the code copies the already modified mesh and analyzes that modified state. This can conceal the effects of repair/simplification/orientation/scale changes, producing misleading reports and causing downstream automation to act on altered geometry rather than the user-supplied model.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The skill exposes raw G-code transmission, which allows direct low-level printer control beyond the declared high-level workflow. In a 3D printer control skill, this materially increases risk because arbitrary G-code can move axes, heat components, disable safeguards, or damage hardware without the preview/confirmation gates applied to normal print jobs.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The standalone notification capability is unrelated to core printer control and can be abused to send arbitrary user-visible messages through local OS notifications and log files. In an agent skill, extra messaging surfaces expand abuse potential for phishing, spam, or deceptive prompts that appear to come from the system.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: This fallback path expands the attack surface by invoking Blender headlessly to parse and process attacker-controlled GLB/GLTF content, despite the primary function already attempting in-process extraction. In a 3D-printing automation skill, model files are likely to come from users or external sources, so handing them to a large external application materially increases risk from parser exploits or unsafe execution paths.

Description-Behavior Mismatch

Low

Confidence: 69% confidence
Finding: The script performs live printer interrogation to collect model, nozzle, and AMS filament state, which expands scope from local slicing into device interaction and metadata collection. In a security-sensitive environment, this can leak operational details about attached hardware or unexpectedly contact networked/local devices when a user only intended offline processing.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README explicitly advertises raw G-code execution against a physical 3D printer but does not warn that arbitrary commands can move axes, heat components, or otherwise trigger unsafe hardware behavior. In an agent-integrated skill, this is more dangerous because users may treat documented commands as endorsed safe actions, increasing the risk of equipment damage or unsafe operation.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The README promotes camera-based monitoring plus LAN/cloud printer access without disclosing privacy and security implications for captured images, printer metadata, network endpoints, and possible third-party AI processing. In this skill context, that omission matters because the workflow encourages continuous monitoring and remote connectivity, which can expose sensitive home/workshop imagery and device-control surfaces if users are not clearly informed.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The activation description includes broad phrases like 'any 3D printing task' and common terms such as 'status' and 'generate 3D,' which can trigger the skill in loosely related conversations. Because this skill has printer-control, file, shell, and network capabilities, overbroad activation increases the chance of unintended invocation in sensitive contexts.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill describes starting a background MQTT listener and heartbeat-based print detection immediately after model handoff, but does not require a clear prior warning or opt-in. Silent background monitoring of a local printer and related notifications is privacy-sensitive and expands device interaction beyond the user's immediate request.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The document instructs users to authenticate with their Bambu Lab email and password and obtain an access token, but it provides no warning about secure credential handling, storage, or scoping. In a printer-control skill, this is meaningful because the credentials grant access to printers, cloud files, camera URLs, and print actions, increasing the chance that downstream tooling or prompts may solicit or mishandle secrets.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation shows an RTSP URL format that places the printer access code directly in the URI userinfo segment. In practice, credentials embedded in connection strings are easily exposed through logs, shell history, screenshots, process listings, copied commands, or telemetry, which can leak printer access to unintended parties.

Missing User Warnings

Low

Confidence: 94% confidence
Finding: The document explicitly recommends cloning and installing third-party code (`git clone`, `pip install -e .`) on a local system without any warning about executing untrusted code, dependency side effects, or environmental changes. In an agent skill context, this is risky because users may follow the instructions as endorsed workflow steps and expose their workstation to supply-chain or arbitrary-code-execution risk.

Missing User Warnings

Low

Confidence: 96% confidence
Finding: This section again instructs users to clone, install, and run open-source tooling locally, including post-processing scripts, but does not disclose that these commands execute external code and can modify the environment. Even though framed as research notes, embedded operational instructions in a skill can normalize unsafe execution of unvetted software.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The markdown suggests reverse-engineering and traffic interception without adequate warning about legal, account-security, and privacy consequences. Users following this guidance could unintentionally capture credentials or sensitive traffic and violate service terms, making the omission itself unsafe guidance in a security-sensitive skill context.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The document recommends reverse-engineering Thangs addon/API behavior and pairing that with model upload ideas, but it does not clearly warn that authenticated addon traffic may contain tokens and that uploaded geometry may be sensitive IP. In this context, the missing safeguards make the recommendation materially risky.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal