OctoClaw

Control OctoPrint 3D printer — monitor status, capture webcam snapshots, manage prints, analyze gcode, and detect errors. Use when the user asks about their...

This skill appears to do what it says (control OctoPrint and related tasks). Before installing: 1) Inspect the full scripts/octoprint.py (we only saw a truncated excerpt) to confirm there are no hidden network endpoints or unexpected behaviors. 2) Ensure the Python runtime has the 'requests' package available or install it in a controlled environment. 3) Keep config.json (which stores your OctoPrint API key and any Telegram tokens) private and only place trusted credentials there. 4) Be cautious with 'analyze' or 'upload' commands — they read local files, so don't point them at sensitive system files. 5) If you will enable Telegram features, verify the destination chat/token are correct and intended. If you want higher assurance, run the script in an isolated environment (container or VM) and review the complete source file for any network calls beyond OctoPrint/Telegram endpoints.

Type: OpenClaw Skill Name: octoclaw-print Version: 1.0.0 The `scripts/octoprint.py` skill bundle is classified as suspicious due to several high-risk capabilities that, while presented as legitimate functionality, create significant attack surfaces for an AI agent. Specifically, the `upload <local-path>` command allows reading arbitrary local files and uploading them to the configured OctoPrint instance. The `snapshot [output-path]` command allows writing webcam images to arbitrary local paths. Furthermore, the `telegram-msg` and underlying `send_telegram_photo` functions could be misused to exfiltrate arbitrary data or files to a configured Telegram chat. These capabilities, if exploited via prompt injection against the AI agent, could lead to unauthorized data exfiltration or arbitrary file manipulation, despite no explicit malicious intent being found in the code or `SKILL.md`.