ClawHub

Kami Package Detection

Security checks across malware telemetry and agentic risk

Overview

The skill’s core camera package detection purpose is coherent, but it under-discloses sensitive snapshot uploads, background monitoring, and credential exposure risks.

Review and edit the configuration before installing. Do not use notification image attachments unless you accept that snapshots may leave your device; remove or disable the sm.ms fallback if camera privacy matters. Avoid embedding camera passwords in RTSP URLs where logs or list-devices output can expose them, pin dependencies, and run setup only after reviewing the download and optional sudo steps.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly exercises sensitive capabilities including shell execution, network access, and file reads/writes, but does not declare permissions or equivalent capability disclosures in the manifest. That weakens user consent and platform enforcement because operators may not realize setup downloads software, accesses RTSP streams, stores snapshots, and sends notifications outbound.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior exceeds the stated purpose in several security-relevant ways: remote downloads during setup, dependency installation, daemon/process management, and multiple outbound notification integrations. Most importantly, the finding notes snapshot uploads to a public image host, which is a material data-exfiltration behavior that is not disclosed in the top-level purpose and is especially sensitive for camera footage.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The README's privacy notice says there is no background daemon, cache, or residual data, but the same document advertises daemon mode and a 24-hour tracking window. This is a material misrepresentation about persistence and runtime behavior that can cause operators to deploy the skill under false privacy and retention assumptions, especially sensitive for camera-monitoring software.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The README claims the model is user-provided and that there is no external network traffic, yet the troubleshooting/setup text says setup.sh may download a model archive from a public URL. For a security-sensitive skill handling camera streams, inaccurate disclosure of external downloads undermines trust boundaries and can expose users to unreviewed third-party content or supply-chain risk.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The helper uploads local camera snapshots to `sm.ms`, a public third-party anonymous image host, as a fallback for notifications. In a smart-home package detection context, these images can expose doorsteps, homes, occupants, schedules, and deliveries, creating a real privacy and data-disclosure risk well beyond the stated purpose of sending an alert.

Context-Inappropriate Capability

Low
Confidence
96% confidence
Finding
The --list-devices path prints configured RTSP URLs directly, which may embed camera usernames, passwords, hostnames, or internal network details. Any user or integration able to invoke this command can retrieve sensitive connection information, enabling lateral access to camera feeds or disclosure of internal infrastructure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README does not prominently warn that setup may fetch model files from an external public host. Users following the quick start may assume installation is fully local, which weakens informed consent and increases supply-chain exposure if the remote host is compromised or blocked/intercepted.

Missing User Warnings

Low
Confidence
97% confidence
Finding
The privacy section states there is no background daemon, but daemon mode is documented elsewhere. While this specific inconsistency alone is lower impact than direct code execution, it still misleads operators about whether a long-running process may continue monitoring camera feeds after initial launch.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger list includes broad phrases like 'detect', 'kami', and 'home assistant', which can cause accidental invocation of a skill that accesses cameras, manages background processes, and can generate outbound notifications. In a smart-home context, unintended activation is more dangerous because it may start persistent monitoring or expose camera-derived metadata without deliberate user intent.

Missing User Warnings

High
Confidence
99% confidence
Finding
Alarm snapshots are transmitted to a public image host without any visible consent flow, warning, or indication to the user that home-security imagery may become publicly accessible. Because this skill handles camera footage from a residence, the context makes the issue more serious: users would reasonably expect alerts to stay within their configured messaging platform, not be published via a third-party public URL.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The detector logs the RTSP URL at startup, and RTSP URLs commonly contain inline credentials such as username and password. This can leak secrets into log files and stdout/stderr collectors, exposing camera access to anyone who can read logs, backups, or centralized monitoring outputs.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
echo ""
        read -p "Install build dependencies with sudo? [y/N] " confirm
        if [[ "$confirm" =~ ^[Yy]$ ]]; then
            sudo apt update && sudo apt install -y \
                make build-essential libssl-dev zlib1g-dev \
                libbz2-dev libreadline-dev libsqlite3-dev \
                libncursesw5-dev xz-utils tk-dev libxml2-dev \
Confidence
93% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
echo ""
        read -p "Install build dependencies with sudo? [y/N] " confirm
        if [[ "$confirm" =~ ^[Yy]$ ]]; then
            sudo apt update && sudo apt install -y \
                make build-essential libssl-dev zlib1g-dev \
                libbz2-dev libreadline-dev libsqlite3-dev \
                libncursesw5-dev xz-utils tk-dev libxml2-dev \
Confidence
93% confidence
Finding
sudo

Unpinned Dependencies

Low
Category
Supply Chain
Content
onnxruntime
opencv-python-headless
numpy
requests
Confidence
95% confidence
Finding
onnxruntime

Unpinned Dependencies

Low
Category
Supply Chain
Content
onnxruntime
opencv-python-headless
numpy
requests
Confidence
98% confidence
Finding
opencv-python-headless

Unpinned Dependencies

Low
Category
Supply Chain
Content
onnxruntime
opencv-python-headless
numpy
requests
Confidence
97% confidence
Finding
numpy

Unpinned Dependencies

Low
Category
Supply Chain
Content
onnxruntime
opencv-python-headless
numpy
requests
Confidence
98% confidence
Finding
requests

Known Vulnerable Dependency: opencv-python-headless — 10 advisory(ies): CVE-2019-14493 (NULL Pointer Dereference in OpenCV.); CVE-2019-9423 (Out-of-bounds Write in OpenCV); CVE-2019-14491 (Out-of-bounds Read in OpenCV) +7 more

High
Category
Supply Chain
Confidence
82% confidence
Finding
opencv-python-headless

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical
Category
Supply Chain
Confidence
73% confidence
Finding
numpy

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
88% confidence
Finding
requests

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal