ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bambu Lab

v0.1.0

Steuere Bambu Lab 3D-Drucker (A1, P1P, X1) über MQTT. Nutze diesen Skill für Druck-Überwachung, Status-Abfragen, Steuerung (Pause/Stopp) und Benachrichtigungen bei Druckende oder Fehlern. Erfordert LAN-Mode mit Access Code.

1· 1.1k·0 current·0 all-time
by@photonixlaser-ux
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (control + monitoring via MQTT) align with the included files: bash and Python scripts implement MQTT connect/subscribe/publish, status parsing, control commands, and notification logic for supported Bambu models.
Instruction Scope
SKILL.md simply instructs running the included scripts; the scripts stay within scope (connect to printer over MQTT, show status, send commands, optionally notify). The monitor script reads/writes a state file in the agent/workspace and can write a notification file under /tmp to integrate with OpenClaw. No unrelated OS-wide file reads or broad 'gather context' instructions are present.
Install Mechanism
No install spec is present (instruction-only skill). Scripts rely on standard system packages (mosquitto-clients) or Python paho-mqtt; no downloads from arbitrary URLs or archive extraction are used.
!
Credentials
The code contains hard-coded defaults for HOST, SERIAL and ACCESS_CODE (192.168.30.103 / 03919A3A2200009 / 33576961) and a hard-coded TELEGRAM_CHAT_ID. While these are relevant to the skill's function, embedding what appear to be real device credentials in the repository is risky: they should be treated as secrets and replaced with environment variables or removed. The scripts do accept BAMBU_* env overrides but the repository still exposes defaults.
Persistence & Privilege
The monitor writes persistent state to /home/node/.openclaw/workspace/.bambu_state.json and may write /tmp/bambu_notification.txt for integration; it does not change other skills or set system-wide configuration. 'always' is false and the skill does not demand elevated privileges, but it is designed to be run continuously/periodically (cron) which creates persisted state.
Assessment
This skill appears to do what it says (local MQTT control and monitoring). Before installing or running it: - Replace the hard-coded HOST, SERIAL and ACCESS_CODE values with your own device values or configure BAMBU_HOST/BAMBU_SERIAL/BAMBU_ACCESS_CODE environment variables; treat any credentials as secrets. The repository defaults look like someone else's device and should not be trusted. - Confirm the scripts will run only on your local network (they connect to a LAN IP). Do not run them on public networks where the printer IP might be reachable by others. - The monitor will write persistent state: it uses /home/node/.openclaw/workspace/.bambu_state.json and /tmp/bambu_notification.txt. If you care about privacy, change the state file path to somewhere appropriate and inspect the contents the script writes. - If you want Telegram notifications, review and modify send_telegram() — the current implementation prefers writing a local notification file for OpenClaw integration and does not send messages to Telegram unless you implement that behavior and supply TELEGRAM_BOT_TOKEN. Do not assume TELEGRAM_BOT_TOKEN in the environment will be used as-is without code changes. - Ensure required binaries/libraries (mosquitto-clients or python3 + paho-mqtt) come from trusted sources and run the scripts in a controlled environment first (test with your own device or a VM).

Like a lobster shell, security has layers — review code before you run it.

latestvk978rngcg1mbz1btzjfch9ga5n80r5r0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments