ClawHub

Find Stl

v0.1.0

Search and download ready-to-print 3D model files (STL/3MF/ZIP) for a concept or specific part by querying Printables (first). Use when an agent needs to find an existing model, capture license/attribution, download the source files, and output a local folder + manifest for quoting/printing.

2· 2.3k·3 current·3 all-time
by@ajmwagar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description align with the included script: it queries Printables' GraphQL API, retrieves time-limited download links and writes a local folder + manifest. No unrelated credentials, binaries, or external services are requested.
!
Instruction Scope
SKILL.md describes search->fetch pipeline and the script implements exactly that, but the runtime instructs the agent (the script) to download and write arbitrary files and to extract ZIP archives without any sanitization. Filenames from the API are used directly for filesystem paths and ZipFile.extractall() is called, which creates a path-traversal / zip-slip risk and may overwrite files in the target directory.
Install Mechanism
No install spec (instruction-only plus a single Python script). No packages are fetched during install. Risk is limited to executing the included script and its network activity at runtime.
Credentials
The skill requests no environment variables or credentials, which is proportional. It does perform network calls to api.printables.com (expected for the stated purpose).
Persistence & Privilege
always is false, no persistent/privileged flags. The skill does write files under a default outdir (~/models/incoming) which is normal for its purpose but is not a platform-level persistence request.
What to consider before installing
This skill appears to do what it says (search Printables and download models), but you should be cautious before running it: 1) it downloads third-party files and extracts ZIPs without sanitizing filenames — a malicious or malformed archive or a manipulated API response could overwrite files (zip-slip / path traversal). 2) filenames from the API are used verbatim when saving, which could introduce unexpected paths. 3) the script writes to a default folder in your home directory; consider specifying an isolated outdir. Recommended actions: run the script in a sandbox or container, inspect network calls, and review/patch the code before use — specifically: sanitize downloaded filenames (use basename/safe_slug), validate ZIP members and reject entries with absolute paths or '..' components before extraction, enforce max file size and disk quotas, and prefer extracting into an empty, isolated directory. If you only need search results, run the search subcommand first (safe, read-only). If you want me to, I can produce a small patch that hardens ZIP extraction and filename handling.

Like a lobster shell, security has layers — review code before you run it.

latestvk9761ybvsxsg9hqqrjn5h7tdnx80axd8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments