Trust Assessment
bambu-lab received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 9 findings: 2 critical, 3 high, 2 medium, and 2 low severity. Key findings include Suspicious import: urllib.request, Hardcoded MQTT Credentials, TLS Certificate Verification Disabled.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | TLS Certificate Verification Disabled The MQTT client in `bambu.py` and `bambu_monitor.py` explicitly disables TLS certificate verification (`self.client.tls_insecure_set(True)`). This makes the communication vulnerable to Man-in-the-Middle (MitM) attacks, allowing an attacker to intercept, read, or modify sensitive data and commands exchanged with the 3D printer. Enable TLS certificate verification. Provide a trusted Certificate Authority (CA) certificate if the MQTT broker uses a self-signed or private certificate. Remove `self.client.tls_insecure_set(True)`. | LLM | scripts/bambu.py:30 | |
| CRITICAL | TLS Certificate Verification Disabled The MQTT client in `bambu.py` and `bambu_monitor.py` explicitly disables TLS certificate verification (`self.client.tls_insecure_set(True)`). This makes the communication vulnerable to Man-in-the-Middle (MitM) attacks, allowing an attacker to intercept, read, or modify sensitive data and commands exchanged with the 3D printer. Enable TLS certificate verification. Provide a trusted Certificate Authority (CA) certificate if the MQTT broker uses a self-signed or private certificate. Remove `self.client.tls_insecure_set(True)`. | LLM | scripts/bambu_monitor.py:30 | |
| HIGH | Hardcoded MQTT Credentials The skill contains hardcoded MQTT serial numbers and access codes in multiple scripts. While `bambu.sh` allows environment variable overrides, `bambu.py` and `bambu_monitor.py` directly use these hardcoded values. This poses a significant security risk as these credentials are sensitive and should not be stored directly in the code. If these are real credentials, they could be exposed. Replace hardcoded credentials with environment variables, a secure configuration file, or a secrets management system. Ensure all scripts respect these secure configurations. | LLM | scripts/bambu.py:16 | |
| HIGH | Hardcoded MQTT Credentials The skill contains hardcoded MQTT serial numbers and access codes in multiple scripts. While `bambu.sh` allows environment variable overrides, `bambu.py` and `bambu_monitor.py` directly use these hardcoded values. This poses a significant security risk as these credentials are sensitive and should not be stored directly in the code. If these are real credentials, they could be exposed. Replace hardcoded credentials with environment variables, a secure configuration file, or a secrets management system. Ensure all scripts respect these secure configurations. | LLM | scripts/bambu_monitor.py:21 | |
| HIGH | Prompt Injection via Notification Messages The `bambu_monitor.py` script generates notification messages that include user-controlled data (e.g., `filename`) and writes them to `/tmp/bambu_notification.txt` and prints them to stdout. If the host LLM processes these outputs directly, a malicious `filename` could be crafted to inject instructions or manipulate the LLM's behavior. Sanitize all user-controlled strings (like `filename`) before including them in messages that are processed by an LLM. Implement strict input validation and encoding to prevent prompt injection. | LLM | scripts/bambu_monitor.py:80 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/photonixlaser-ux/bambu-lab-skill/scripts/bambu_monitor.py:96 | |
| MEDIUM | Sensitive Data Stored in State File The `bambu_monitor.py` script stores printer status, including the `filename`, in a JSON state file (`/home/node/.openclaw/workspace/.bambu_state.json`). If printer filenames contain sensitive information (e.g., project names, client data), this could lead to unintended data exposure if the file is not adequately protected or if the skill environment is compromised. Review the data stored in the state file. Avoid storing sensitive information. If sensitive data must be stored, ensure it is encrypted at rest and access is strictly controlled. Sanitize or redact potentially sensitive parts of the `filename` before storage. | LLM | scripts/bambu_monitor.py:13 | |
| LOW | Unpinned Python Dependency The `bambu.py` and `bambu_monitor.py` scripts import `paho.mqtt.client` without specifying a version. This 'unpinned' dependency means that `pip install` will always fetch the latest version, which could introduce breaking changes, unexpected behavior, or even security vulnerabilities if a future version has issues. This is a minor supply chain risk. Pin the dependency version in a `requirements.txt` file (e.g., `paho-mqtt==1.6.1`) to ensure consistent and secure installations. | LLM | scripts/bambu.py:10 | |
| LOW | Unpinned Python Dependency The `bambu.py` and `bambu_monitor.py` scripts import `paho.mqtt.client` without specifying a version. This 'unpinned' dependency means that `pip install` will always fetch the latest version, which could introduce breaking changes, unexpected behavior, or even security vulnerabilities if a future version has issues. This is a minor supply chain risk. Pin the dependency version in a `requirements.txt` file (e.g., `paho-mqtt==1.6.1`) to ensure consistent and secure installations. | LLM | scripts/bambu_monitor.py:10 |
Scan History
Embed Code
[](https://skillshield.io/report/909f5d880efa49ec)
Powered by SkillShield