Back to skill

Security audit

Bring! Shoppinglist

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed Bambu Lab 3D printer automation helper, with sensitive credentials and printer control scoped to its stated purpose.

Install only if you are comfortable giving the skill local access to your printer setup and any optional Bambu or 3D-generation credentials. Prefer LAN/manual mode where possible, keep secret files out of repos and backups, and confirm every print action yourself.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs users to provide account credentials via environment variables or a local JSON file without any warning about secure storage, file permissions, or secret-handling practices. This increases the risk of credential exposure through shell history, process inspection, backups, or overly permissive files, especially because the skill handles a third-party account password directly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
bring.py:204