bambu-agent
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a legitimate local Bambu printer monitor, but it needs printer access codes and runs a local background dashboard, so users should install it only on a trusted machine and network.
This skill is reasonable for local Bambu printer monitoring, but treat it like software that handles printer credentials. Keep config.json private, run it only on a trusted computer and LAN, be aware that serial numbers are present in local API data, and verify the unknown-source package before running the Python service.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read the generated config.json may get printer access credentials and serial numbers.
The setup wizard collects printer access codes and serial numbers and stores them in config.json. This is expected for local Bambu printer monitoring, but it is sensitive credential/device information and the registry metadata declares no primary credential.
code = input("请输入访问码 (Access Code): ") ... sn = input("请输入序列号 (SN): ") ... json.dump(farm_list, f, indent=4, ensure_ascii=False)Keep config.json private, avoid installing on shared machines, and consider file permissions or a secrets store for the printer access code.
On an untrusted or compromised network, an attacker could more easily impersonate a printer endpoint and put the printer access code at risk.
The printer access code is used for MQTT authentication while TLS certificate verification is disabled. This may be necessary for some local printer setups, but it weakens protection against local-network impersonation.
client.tls_set(cert_reqs=ssl.CERT_NONE)
client.tls_insecure_set(True)
client.username_pw_set("bblp", self.access_code)Run this only on a trusted local network; if possible, use certificate validation or certificate pinning for printer connections.
The local dashboard and printer-monitoring connections may start automatically when the skill is launched.
The skill is configured to auto-start; main.py then loads config and starts MQTT monitoring threads. This is aligned with real-time monitoring, but it means the service can keep running in the background.
"auto_start": true
Install only if you want continuous monitoring, and know how to stop or disable the service when it is not needed.
The printer serial may be visible to the local dashboard, API clients, or the agent context even if it is not spoken to the user.
The status API returns the full printer serial inside the info object, while SKILL.md tells the agent not to fully expose serial numbers in interactions. The serial appears used for dashboard state, but users should know it is still present in API data.
self.info = {"name": name, "model": model, "serial": serial} ... "info": self.infoMask or omit serial numbers from API responses unless they are strictly needed, and avoid sharing raw API output.
Users have less publisher/provenance information to rely on before running the included Python code.
The package has no declared source/homepage and no formal install spec, while README.md instructs manual Python dependency installation. The requirements are pinned and no hidden installer is shown, so this is a provenance note rather than a concrete malicious signal.
Source: unknown Homepage: none No install spec — this is an instruction-only skill.
Review the bundled files, verify the publisher if possible, and install dependencies in a virtual environment.