ClawHub

claw3d

Security checks across malware telemetry and agentic risk

Overview

This 3D-printing skill is mostly coherent, but it gives an agent direct physical printer control and persistent configuration-changing instructions without enough safety gates.

Review before installing. Only use this skill in an environment where you trust the agent to control your 3D printer and modify local 3D-printing configuration. Require manual confirmation before any print, start, preheat, home, cancel, or emergency-stop command, and avoid using the Telegram media-limit config patch unless an administrator intentionally approves the persistent OpenClaw setting change.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to modify a global OpenClaw Telegram configuration file to increase media limits, which is outside the narrow scope of 3D-model handling. Allowing a skill to rewrite unrelated host/application config creates a path for persistent environment changes and broader platform-impacting behavior beyond the user's immediate task.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to modify `/home/node/.openclaw/openclaw.json` to raise Telegram media limits, which is host/application configuration management outside the stated 3D modeling workflow. This expands the skill's authority into platform administration and can cause unintended service changes or restarts from an untrusted prompt path.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The embedded Python snippet patches local OpenClaw/Telegram settings directly, giving the skill an administrative action path unrelated to normal model generation. Even though framed as helping the user, this creates a precedent for privileged configuration changes initiated by conversational input.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The setup note encourages modifying OpenClaw channel configuration and local config files without clear scoping or warning about persistence and side effects. Skills should not casually direct changes to broader platform configuration because those changes affect future sessions and other workflows.

Missing User Warnings

High
Confidence
98% confidence
Finding
The printing module is designed to send jobs to physical printers and includes guidance to proceed with print actions once prerequisites are met, without an explicit final safety confirmation immediately before device actuation. Starting a physical process without a dedicated confirmation step increases the risk of unintended material use, device motion, or unsafe real-world consequences.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow exposes direct printer control actions including pause, resume, cancel, start, home, preheat, and emergency stop without any mandatory confirmation, authorization, or safety interlock for destructive or safety-sensitive operations. In a remote agent context connected to physical hardware, an accidental or malicious prompt could trigger unsafe printer behavior, ruin prints, damage equipment, or create thermal/mechanical hazards.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The architecture and setup flow route printer IP/port information and external API integrations through the agent without defining any handling rules for secrets, network boundaries, redaction, or storage protection. This increases the risk of leaking internal network details, mishandling API credentials, or enabling unintended access to printers and third-party services through the agent workflow.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The manifest advertises printer control and management capabilities but provides no user-facing warning that actions may affect physical hardware, start jobs, or alter printer state. In a skill that can interface with Moonraker and PrusaLink, omission of explicit safety language increases the chance of unsafe or unintended real-world actions by users or downstream agents.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to add a printer in a way that writes the printer name, host, and port into a persistent local config file, but it does not require any user-facing disclosure or confirmation before that state-changing write occurs. Persisting network connection details without clear notice can surprise users, create privacy issues, and leave unintended device access configured beyond the current session.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill directs the agent to proceed from image conversion through slicing to `claw3d print` as part of a single flow, with no explicit requirement for a final user confirmation before starting a physical print. Triggering a real-world machine action without a deliberate consent checkpoint is dangerous because it can waste material, damage equipment, or create safety hazards if the model, printer, or settings are wrong.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough that ordinary user statements like "change the color" or "could we 3D print this?" may invoke this skill outside a clearly scoped 3D-editing context. That can cause the agent to take tool-using actions on attached media with insufficient confirmation, increasing the risk of unintended execution or confusing cross-skill routing.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger language is broad enough that the search workflow may activate on loosely related requests such as general object discussion or ambiguous references to finding a model. In this skill, unintended invocation is more risky because the flow immediately authorizes long-running external searches, downloads thumbnails and models, and creates local files, which can cause unnecessary network activity and side effects without clear user confirmation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow directs the agent to run a command that performs external network access, downloads thumbnails and model files, and writes artifacts locally, but it does not require disclosure or consent for those side effects. In an agent setting, silent fetching of remote content increases the risk of unexpected data transfer, storage use, and ingestion of untrusted third-party files, especially because the command is described as a single default step.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to run a rotation command that permanently modifies the model file, but it does not require an explicit warning and confirmation immediately before performing that destructive action. In a 3D printing workflow, this can cause unintended alteration of user assets, confusion from cumulative changes, and loss of the original orientation if the user did not understand the operation was in-place.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This section documents direct printer-control operations including print start, preheat, home, cancel, and emergency-stop without requiring confirmation, safety checks, or operator presence. In a real 3D-printing environment, these actions can cause physical-world effects such as unintended heating, motion, interrupted jobs, hardware wear, or damage if triggered automatically or on the wrong printer.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions tell the agent to edit system configuration and imply an automatic Telegram channel restart, but do not present this as a meaningful operational change requiring elevated caution and administrator approval. A user-facing 'want me to do that?' is not sufficient informed consent for host config mutation with service-impacting side effects.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal