OctoClaw

Security checks across malware telemetry and agentic risk

Overview

This skill broadly does what it claims, but it controls a real 3D printer and exposes external Telegram sending without enough built-in scoping or confirmation.

Install only if you trust the agent to control your OctoPrint instance. Keep the OctoPrint API key and Telegram credentials private, leave Telegram fields unset unless you intentionally want printer data sent to that chat, and require explicit human confirmation before starting/canceling prints, uploading files, changing temperatures, or sending snapshots/messages.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (12)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill documentation indicates file access and networked control of an OctoPrint instance, but no explicit permissions are declared. This creates a transparency and governance gap: users and review systems may not realize the skill can read local files and communicate with external services, including a printer controller and possibly Telegram.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The stated description focuses on printer control/monitoring, but the documented behavior also includes sending status, images, and arbitrary messages to Telegram using separate external credentials/services. This mismatch can hide data exfiltration paths and lead users to invoke the skill without understanding that printer telemetry or webcam snapshots may be transmitted off-device.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill adds Telegram messaging and photo-sending capabilities that transmit printer status and webcam data to a third-party service outside the stated OctoPrint control scope. In an agent setting, this broadens the data boundary and creates an exfiltration path for operational details and images without being clearly justified by the manifest.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: Arbitrary message sending to Telegram is unrelated to core printer control and can be abused as a general outbound communication channel. In a tool-enabled agent, such a primitive materially increases the risk of data exfiltration, covert signaling, or sending attacker-influenced content to an external service.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger text is broad enough to match ordinary discussion about printers, temperatures, filament, or status, which increases the chance the skill is invoked in contexts where the user did not intend device control. Because this skill can perform real-world actions like starting, pausing, canceling prints, or changing temperatures, accidental activation is more dangerous than in a read-only skill.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill documents destructive or state-changing printer actions such as starting prints, canceling jobs, and changing temperatures without any explicit confirmation or safety interlock. In a physical-device context, mistaken or unauthorized execution can waste material, damage prints, create overheating risk, or disrupt equipment operation.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The Telegram features allow sending printer status, webcam snapshots, and arbitrary messages externally, but the documentation provides no privacy warning or user-consent language. This is risky because webcam images and operational data may reveal sensitive information about the user's environment, schedule, or equipment to third-party services.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The photo upload function sends local image data to Telegram, which is an external third party, with no in-code warning, consent check, or policy boundary. Because the snapshot may reveal a live webcam view of a home or workspace, this introduces privacy risk and an exfiltration path beyond normal printer management.

External Transmission

Medium

Category: Data Exfiltration
Content: url = f"https://api.telegram.org/bot{config['telegram_bot_token']}/sendMessage" try: response = requests.post(url, json={ "chat_id": config["telegram_chat_id"], "text": message, "parse_mode": "Markdown"
Confidence: 90% confidence
Finding: requests.post(url, json=

External Transmission

Medium

Category: Data Exfiltration
Content: print("Error: Telegram not configured. Add telegram_bot_token and telegram_chat_id to config.json", file=sys.stderr) sys.exit(1) url = f"https://api.telegram.org/bot{config['telegram_bot_token']}/sendMessage" try: response = requests.post(url, json={
Confidence: 86% confidence
Finding: https://api.telegram.org/

External Transmission

Medium

Category: Data Exfiltration
Content: print(f"Error: Image file not found: {image_path}", file=sys.stderr) sys.exit(1) url = f"https://api.telegram.org/bot{config['telegram_bot_token']}/sendPhoto" try: with open(image_path, 'rb') as f:
Confidence: 91% confidence
Finding: https://api.telegram.org/

Exfiltration Commands

High

Category: Prompt Injection
Content: print(" upload <file> - Upload gcode file", file=sys.stderr) print(" telegram-status - Send status to Telegram", file=sys.stderr) print(" telegram-snapshot - Send snapshot to Telegram", file=sys.stderr) print(" telegram-msg <msg> - Send message to Telegram", file=sys.stderr) sys.exit(1) command = sys.argv[1]
Confidence: 88% confidence
Finding: Send message to

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal