Trust Assessment
bambu-local received a trust score of 73/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 0 medium, and 0 low severity. Key findings include Unrestricted G-code Execution, Insecure MQTT Connection (TLS Certificate Verification Disabled), Unpinned Dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unrestricted G-code Execution The `send_gcode` function directly passes user-provided input (`args.code`) as a G-code command to the 3D printer. While G-code is a standard printer control language, allowing arbitrary G-code execution without validation or sanitization can lead to dangerous physical actions, such as rapid uncontrolled movements, setting extreme temperatures, or other operations that could damage the printer, cause safety hazards, or waste materials. An AI agent, if prompted maliciously, could be coerced into sending harmful G-code commands. Implement a whitelist or strict validation for G-code commands if the intent is to restrict the types of G-code that can be sent. For example, only allow specific, safe G-code commands or patterns. If arbitrary G-code is an intended feature, ensure the user is fully aware of the risks and that the AI agent is robustly protected against prompt injection that could lead to misuse. | LLM | bambu.py:120 | |
| HIGH | Insecure MQTT Connection (TLS Certificate Verification Disabled) The MQTT client is configured to disable SSL/TLS certificate verification using `client.tls_set(cert_reqs=ssl.CERT_NONE)` and `client.tls_insecure_set(True)`. This makes the connection vulnerable to Man-in-the-Middle (MITM) attacks, where an attacker on the local network could intercept, read, or modify communication between the skill and the 3D printer. Although this is for a local network, it compromises the integrity and confidentiality of the communication. Enable proper TLS certificate verification. If the printer uses a self-signed certificate, provide a mechanism to trust that certificate (e.g., by specifying a CA certificate file). If the printer does not support secure TLS, consider the implications of transmitting sensitive data (like access codes) over an unencrypted or unverified channel. | LLM | bambu.py:29 | |
| INFO | Unpinned Dependency The `paho-mqtt` dependency is installed without a specific version pin (`pip install paho-mqtt`). This introduces a supply chain risk, as future installations could pull in a new, potentially breaking, or even malicious version of the library if its maintainers' systems were compromised. While `paho-mqtt` is a widely used and generally trusted library, unpinned dependencies are a common vector for supply chain attacks. Pin the dependency to a specific version (e.g., `pip install paho-mqtt==1.6.1`) or use a `requirements.txt` file with exact versions to ensure reproducible and secure installations. Regularly review and update pinned dependencies. | LLM | SKILL.md:11 |
Scan History
Embed Code
[](https://skillshield.io/report/bf5ca360fe71024a)
Powered by SkillShield