Kami Fall Detection
ReviewAudited by ClawScan on May 13, 2026.
Overview
The fall-detection workflow is mostly disclosed, but the package includes under-documented access to local Feishu credentials and handles sensitive camera data.
Review this skill before installing. It is designed to upload fall-event video clips to KamiClaw and may store API keys, camera URLs, logs, and clips locally. Prefer webhook-only Feishu notifications unless you intentionally want the skill to use local OpenClaw Feishu app credentials, and do not provide the unexplained QWEN key shown by setup.sh.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill package may access local Feishu app secrets if that notification path is used, not just the API key and webhook the user explicitly provides.
The code can read Feishu app credentials from local OpenClaw configuration files. That is high-impact credential/profile access and is broader than the main documented requirement of a KamiClaw API key plus optional Feishu webhook URL.
config_paths = [Path.home() / ".openclaw" / "openclaw2.json", Path.home() / ".openclaw" / "openclaw.json"] ... app_id = fall_detection.get("appId") ... app_secret = fall_detection.get("appSecret")Only install if you trust the publisher and understand this credential path. Prefer webhook-only notifications, remove or disable the local-config credential helper if unnecessary, and document/ask before reading ~/.openclaw credential files.
Motion-triggered clips from the RTSP camera or local video can be uploaded to an external provider for analysis.
The skill base64-encodes video clips and sends them to the KamiClaw cloud API. This is expected for server-side fall detection, but it means private camera footage leaves the device.
KAMICLAW_API_URL = "https://kamiclaw-skill-api.kamihome.com/v1/detect" ... "videoFile": _file_to_base64(video_path)
Use only with appropriate consent, confirm the provider’s privacy/retention terms, and avoid monitoring areas where sensitive footage should not leave the local network.
Anyone or any process that can read the skill directory may be able to see the API key and camera URL.
The skill explicitly persists the KamiClaw API key and camera/source URL in a local config file. This is disclosed and purpose-aligned, but those values are sensitive.
Tell the agent your API key and RTSP URL. The agent will automatically save them to `config.json`.
Protect the skill directory permissions, avoid embedding camera passwords in RTSP URLs when possible, rotate exposed keys, and delete config/log files when no longer needed.
The camera monitoring process can continue running and uploading event clips until the user stops it or sets a runtime limit.
The skill is designed as a long-running monitor with an unlimited default runtime. This is normal for fall monitoring, but users should be aware it may keep processing until stopped.
`run_time` | `0` | Max run time in seconds; `0` = unlimited ... The skill runs continuously and prints a JSON alarm line ... It does not stop after an alarm
Set a finite run_time for testing, monitor resource/network use, and run it under a user account with only the permissions it needs.
Running setup can modify the local Python environment and, in some cases, install OS packages with sudo.
The user-directed setup script may run privileged package-manager commands if Python is missing and installs Python dependencies. This is common setup behavior, but it executes local shell commands and downloads packages.
sudo apt update && sudo apt install -y python3 python3-venv ... "$VENV_DIR/bin/pip" install -q -r "$SKILL_DIR/requirements.txt"
Inspect setup.sh before running, use an isolated environment, and only enter sudo credentials if you expect Python installation.
A user might supply an unrelated API key that is not explained by the skill documentation.
The setup output references an undeclared QWEN API key even though the documented primary credential is KAMICLAW_API_KEY. The artifact does not prove this key is used, but the inconsistency could confuse users into providing an unnecessary credential.
echo " --qwen_api_key <QWEN_KEY>"
Do not provide a QWEN key unless the publisher documents why it is needed and how it is handled; the publisher should remove or explain this setup output.