Is codeofaxel/kiln safe?

DISASTER_RECOVERY.md is an internal developer operations document bundled into the public skill package. It discloses every credential environment variable name used by the kiln platform (KILN_STRIPE_SECRET_KEY, KILN_CIRCLE_API_KEY, KILN_CIRCLE_ENTITY_SECRET, KILN_CIRCLE_WALLET_ID, KILN_API_AUTH_TOKEN, KILN_MASTER_KEY, and more), the on-disk paths for all sensitive files (~/.kiln/kiln.db, ~/.kiln/credentials.db, ~/.kiln/master.key), the encryption algorithm (PBKDF2 + XOR), and the full credential rotation schedule. This intelligence dramatically lowers the barrier for a targeted credential extraction attack against any user of kiln.

The skill defines a tiered autonomy system where Level 2 ('Full Trust') allows the agent to start prints, set temperatures, send raw G-code, and place manufacturing orders without any human confirmation. The agent can change its own autonomy level via kiln autonomy set LEVEL (a confirm-level command). Once Level 2 is active, all subsequent physical and financial actions execute silently. An attacker who can influence the agent's context (via prompt injection from printer filenames, G-code comments, or other sources) could trigger autonomy escalation and then issue destructive commands.

The skill provides authenticated, direct control over physical 3D printers with no reversibility for many operations. Start-print and cancel-print are irreversible. Temperature setting to extreme values (up to limits, and the temperature validation bugs disclosed in LESSONS_LEARNED.md suggest historical bypass paths) could cause hardware damage or fire. Raw G-code execution gives the agent the equivalent of a printer shell. These risks compound when the agent operates at Level 2 autonomy, and further when fleet mode is active (multiple printers).

The skill package contains at least 5 files that are clearly internal developer documents: DISASTER_RECOVERY.md (ops runbook with credentials), FORGE_LAUNCH_DAY_TASKS.md (unreleased product launch plan), USC_PARTNERSHIP_BRIEF.md (external partnership negotiations with named contacts), SWARM_GUIDE.md (internal AI development system), and LESSONS_LEARNED.md (security vulnerability history). These files reveal business contacts, competitive strategy, infrastructure details, and historical security vulnerabilities to any user who installs the skill.

The skill's install metadata specifies installation via uv from the GitHub source repository (https://github.com/codeofaxel/Kiln.git), not a locked PyPI release. This means: (1) the installed code can change between audits without version change, enabling a silent supply chain attack; (2) Python package installation via uv can execute build hooks in pyproject.toml; (3) the 'subdirectory' parameter is specified but the full repo is cloned first, meaning all repo content runs during install resolution.

The skill allows the agent to register webhooks to any HTTPS URL and subscribe to printer events (print_complete, print_failed, etc.). Webhook payloads include operational data about print jobs. An attacker who can influence agent behavior (via prompt injection from printer data, or social engineering) can register a webhook to an attacker-controlled server, establishing a persistent data exfiltration channel. The HMAC-SHA256 signing only authenticates the payload to the receiver — it doesn't prevent sending to attacker endpoints.

At Level 2 autonomy, the agent can place manufacturing orders with Craftcloud or Sculpteo (outsourced fabrication services) via kiln order place QUOTE_ID --json without asking the user for confirmation. Quotes can include material costs plus shipping. A compromised or manipulated agent could place real orders spending real money. This is listed as a 'confirm' level command, but the confirm-level behavior is explicitly overridden at Level 2.

The LESSONS_LEARNED.md file discloses specific historical security vulnerabilities: path traversal in save/write operations, timing-safe comparison bypass in REST API auth, parameter pollution via **body injection, and negative temperature bypass in G-code validation. While these are described as fixed, they reveal the attack surface, historical weaknesses, and current mitigations — intelligence useful to an attacker targeting any kiln deployment.

The skill includes a 2.5% platform fee (configurable 0-15%) on any revenue from models published through the kiln marketplace pipeline. This is disclosed in the SKILL.md licensing section but is easy to miss. The fee is controlled by KILN_PLATFORM_FEE_PCT and applies to commercial activity enabled by the skill.

FORGE_LAUNCH_DAY_TASKS.md reveals an unreleased product 'Forge' that extends kiln to SLA printers, laser cutters, and CNC mills with 193 new MCP tools, 32 CLI commands, 12 device adapters, and 7 new database tables. This is a competitive intelligence leak that is inappropriate to include in a public skill package.

The skill requires prusaslicer or orcaslicer to be installed on the host (specified in anyBins). These are large desktop applications installed separately. The skill does not verify the integrity of these binaries, creating a dependency on the security of the host's slicer installation.