ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bambu Lab Local Control

v1.0.1

Control Bambu Lab 3D printers locally via MQTT (no cloud). Supports A1, A1 Mini, P1P, P1S, X1C.

3· 2.4k·2 current·3 all-time
by@tanguyvans
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: bambu.py uses paho-mqtt to connect to a local printer IP over MQTT/TLS and publish/subscribe on device/{serial} topics. Declared binary (python3) and the required inputs (printer_ip, access_code, serial) are appropriate for the described functionality.
Instruction Scope
SKILL.md stays within the purpose (create venv, install paho-mqtt, create config.json with printer info, run the script). Two operational/security notes: the Python code disables TLS certificate verification (tls_set with CERT_NONE and tls_insecure_set(True)), which is likely to accommodate a self-signed cert but weakens MITM protections; and the instructions store the printer access_code in a plain config.json inside the skill folder (sensitive data at rest). The script does not read other system files or call external endpoints beyond the printer IP.
Install Mechanism
No install spec is provided (instruction-only). The SKILL.md asks the user to pip install paho-mqtt into a venv — a low-risk, expected step for a Python MQTT client.
!
Credentials
The registry metadata declared no required config paths, but the runtime code requires a config.json placed alongside bambu.py (CONFIG_PATH). This mismatch is an informational inconsistency. The sensitive value requested (access_code) is proportional to the skill's purpose, but users should note it will be stored in plaintext by default in the skill folder unless they change that.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It runs when invoked and does not request elevated/persistent platform privileges.
Assessment
This skill looks like what it claims: a local MQTT controller for Bambu printers. Before installing, consider: 1) Protect the config.json (it contains your printer access_code). Move it to a secure location or restrict file permissions so others on the machine cannot read it. 2) The code disables TLS certificate verification (tls_insecure_set(True)); that reduces MITM protection — acceptable on a trusted local LAN with self-signed certs, but be cautious on untrusted networks. 3) Verify the printer IP is local and that you trust devices on that network; anyone with the access_code can control the printer. 4) Because the skill stores credentials in a file inside the skill folder, avoid running it on multi-user systems without securing the file. 5) If you want stronger security, consider editing bambu.py to enforce certificate checks or use a more secure storage mechanism for the access_code (environment variables, OS keyring) and update SKILL.md accordingly.

Like a lobster shell, security has layers — review code before you run it.

3d-printervk97cg3ym2r2ghhkxm3nng3v6n17zwhp2bambuvk97cg3ym2r2ghhkxm3nng3v6n17zwhp2iotvk97cg3ym2r2ghhkxm3nng3v6n17zwhp2latestvk97cg3ym2r2ghhkxm3nng3v6n17zwhp2mqttvk97cg3ym2r2ghhkxm3nng3v6n17zwhp2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖨️ Clawdis
Binspython3

Comments