ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OctoClaw

v1.0.0

Control OctoPrint 3D printer — monitor status, capture webcam snapshots, manage prints, analyze gcode, and detect errors. Use when the user asks about their...

0· 644·0 current·0 all-time
by@peterhanily
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the observed behavior: the script talks to an OctoPrint URL, provides status, print controls, webcam snapshots, gcode analysis, and optional Telegram integration. No unrelated credentials or cloud services are requested in metadata.
Instruction Scope
Runtime instructions only invoke the provided script for OctoPrint operations. The script will read config.json (containing octoprint_url, api_key, and optional Telegram tokens) and can read local files when running 'analyze' or 'upload' — which is expected but means users must avoid pointing it at sensitive system files. The SKILL.md instructs resolving paths relative to the skill dir; be aware analyze/upload accept arbitrary file paths.
Install Mechanism
This is an instruction-only skill (no install spec), requiring python3 which is declared. The script depends on the 'requests' library but the skill does not declare Python package dependencies; that may cause runtime failures and is a packaging/hygiene omission rather than a malicious artifact.
Credentials
No environment variables or additional credentials are requested by the skill metadata. The tool uses a local config.json for the OctoPrint API key and optional Telegram tokens, which is reasonable and proportional to the functionality.
Persistence & Privilege
The skill does not request persistent/always-on inclusion and does not appear to change other skills or system settings. Normal autonomous invocation is allowed (platform default) and not by itself a problem.
Assessment
This skill appears to do what it says (control OctoPrint and related tasks). Before installing: 1) Inspect the full scripts/octoprint.py (we only saw a truncated excerpt) to confirm there are no hidden network endpoints or unexpected behaviors. 2) Ensure the Python runtime has the 'requests' package available or install it in a controlled environment. 3) Keep config.json (which stores your OctoPrint API key and any Telegram tokens) private and only place trusted credentials there. 4) Be cautious with 'analyze' or 'upload' commands — they read local files, so don't point them at sensitive system files. 5) If you will enable Telegram features, verify the destination chat/token are correct and intended. If you want higher assurance, run the script in an isolated environment (container or VM) and review the complete source file for any network calls beyond OctoPrint/Telegram endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk977ynpm6p1d5dpm9j52yrpxy181af8p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐙 Clawdis
Binspython3

Comments