ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

bambu-agent

v1.0.0

Monitor and manage Bambu Lab 3D printers in your local network with real-time status, error decoding, and a web dashboard interface.

1· 312·2 current·2 all-time
by@zhouzia
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description align with the implementation: the code opens a local web dashboard, subscribes to printers' MQTT streams on their LAN IPs, decodes status/HMS data, and exposes /api/farm/status and /api/agent/brief as described. No unrelated services or credentials are requested.
Instruction Scope
SKILL.md instructs the agent to call the local endpoints for status and hourly briefings — that matches the API implemented. The runtime code, however, includes an interactive setup wizard (input()) that writes config.json; when run headlessly as a skill this may block or fail. The skill also explicitly asks the agent not to expose serial numbers, but serials are stored in config.json.
Install Mechanism
No install spec is provided (instruction/code bundle only). Dependencies are standard Python packages (fastapi, uvicorn, jinja2, paho-mqtt) listed in requirements.txt; nothing is downloaded from arbitrary URLs.
Credentials
The skill requests no environment variables or external credentials, which is proportionate. However it stores sensitive local secrets (Access Code and SN) in a plain config.json file and uses them for MQTT authentication. This storage is expected for the stated purpose but is a privacy/security consideration: protect the file and permissions.
Persistence & Privilege
Registry flags show the skill is not always-enabled and is user-invocable (normal). The included skill.json contains "auto_start": true which may cause it to start automatically in some runtimes; verify platform behavior. The skill runs a local web server on 127.0.0.1:5000 and MQTT connections to LAN devices — this is necessary for functionality but grants network presence on the host.
Assessment
This skill appears to do what it says: monitor Bambu printers over your LAN and provide a local dashboard. Before installing, note these points: (1) It stores Access Code and serial numbers in config.json on disk — treat that file as sensitive and restrict its permissions. (2) The MQTT client disables TLS certificate verification (tls_insecure_set(True)), which is common for local devices but reduces MITM protection; run only on trusted networks. (3) The initial setup uses interactive input() and will block if run headlessly — run the wizard once on a terminal or pre-create config.json. (4) The web UI pulls Google Fonts (external resource) from the browser; the backend does not exfiltrate data to remote servers. If you accept these tradeoffs, run it on a trusted local machine and secure the config.json file. If you need higher assurance, request source provenance and an explanation for tls_insecure_set usage or implement credential encryption for config.json.

Like a lobster shell, security has layers — review code before you run it.

latestvk97097q4wdg6v42127j756049d82vep1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments