Skillv1.2.0

ClawScan security

Flashforge 3D Print · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 2, 2026, 11:06 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description and instructions do not fully align: it claims netcat-based control but the SKILL.md references a missing Python controller script, unlisted CLI tools, and hard-coded printer network details — proceed with caution and ask for the missing code/source before installing.
Guidance: This skill is missing the referenced controller script (ralph_wiggum.py) and other files it tells you to run — ask the publisher for the source or an official repository before installing. Verify the origin of the suggested pip packages (flashforge-python-api) and avoid installing them globally; prefer an isolated virtualenv. Be aware the instructions will make network requests to the hard-coded IP and camera endpoints (10.0.0.41:8080) — confirm that is a device you control. If you decide to proceed, run in a sandboxed environment, review any downloaded code before executing, and request the missing files or a link to their canonical source so you can inspect them for unexpected behavior.

Review Dimensions

Purpose & Capability: concernThe metadata/description claims control 'via netcat' but the SKILL.md shows a Python script (ralph_wiggum.py) and a Flashforge Python API workflow instead — netcat usage is not shown. The SKILL.md also lists files (ralph_wiggum.py, WORKFLOW.md) that are not present in the package manifest, which is inconsistent with the stated purpose and execution model.
Instruction Scope: concernRuntime instructions tell the agent/user to run a local Python script, pip-install packages, call a PrusaSlicer CLI, and curl camera endpoints on 10.0.0.41. Those commands rely on missing local files and externally installed binaries (PrusaSlicer) that are not declared. The instructions also reference activating a specific virtualenv path (~/.openclaw/workspace/.venv) — an environment-specific action that may not exist. The instructions do not request unrelated system credentials, but they do instruct network access to a hard-coded local IP and camera endpoint.
Install Mechanism: okNo formal install spec is provided (instruction-only), which minimizes automatic disk writes. SKILL.md suggests running pip install flashforge-python-api requests manually; that is user-executed and not part of an automated installer in the package. Because there's no download/install step in the skill bundle itself, install-mechanism risk from the registry package is low — but the suggested pip installs should be verified by the user.
Credentials: noteThe skill requests no environment variables or credentials, which is proportionate. However, it embeds specific network targets (printer IP 10.0.0.41), a serial number, and a 'check code' in the documentation — hard-coded network targets and codes may be sensitive or surprising. The instructions also implicitly require locally installed tools (PrusaSlicer CLI, Python script) that aren't declared as requirements.
Persistence & Privilege: okThe skill does not request always:true and does not declare any persistent/system-wide modifications. Autonomous invocation is allowed (platform default) but not combined with other high-risk factors in the registry metadata.