Kami Video Search
ReviewAudited by ClawScan on May 13, 2026.
Overview
No artifact-backed malicious behavior was found, but this skill handles sensitive camera footage and credentials, uploads camera-derived data to Kamivision, and can keep recording in the background until stopped.
Install only if you are comfortable giving the skill access to your camera stream and sending camera-derived data to Kamivision for analysis. Use dedicated credentials, protect the configuration file, confirm upload mode and retention before starting, and remember that background recording continues until you explicitly stop it.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to the configured stream URL or API key may be able to view camera feeds or use the Kamivision account.
The skill requires camera stream credentials and a Kamivision API key. This is expected for the stated function, but these credentials can grant access to private camera feeds and provider usage.
`STREAM_URL` ... `rtsp://admin:pass@192.168.1.100:554/stream1` ... `KAMI_API_KEY` ... Kamivision API key
Use a dedicated low-privilege camera account and API key, protect stream_config.json, and rotate credentials if you uninstall or stop using the skill.
Private camera snapshots, and optionally full video clips, may leave the local machine for analysis by Kamivision.
The skill sends camera-derived data to an external provider API. This is disclosed and aligned with AI video search, but it crosses a privacy boundary.
Camera-derived images (or videos, if `SUMMARY_UPLOAD_MODE=video`) are sent to the external Kamivision API for AI analysis.
Review the provider’s privacy terms, confirm `SUMMARY_UPLOAD_MODE` before recording, and avoid using the skill for highly sensitive camera locations unless appropriate.
The local data directory can reveal a history of events captured by the camera, even without opening the original videos.
The skill persists AI-generated descriptions and embeddings locally for future search. This is expected for video search, but it creates a private searchable memory of camera activity.
Descriptions and embeddings of camera clips are stored in a local SQLite database, creating a searchable record of recorded events.
Store the data directory in a protected location, set an appropriate retention period, and delete the database and clips when they are no longer needed.
Recording may continue consuming disk space and sending footage-derived data until the user stops it.
The skill intentionally runs a long-lived background recording process. This is disclosed and central to the product, but it is persistent activity outside a single chat turn.
Background recording — start/stop via chat, runs as a daemon process ... will continue recording until explicitly stopped.
Check recording status regularly, stop recording when not needed, monitor disk usage, and verify logs if behavior is unexpected.
Recorded clips may be permanently removed after the configured retention period.
The skill performs automatic local deletion of old recording files. This is disclosed and purpose-aligned, but it is a destructive action controlled by configuration.
Auto cleanup — old recordings are deleted after configurable retention days
Set `RETENTION_DAYS` deliberately, back up important footage elsewhere, and use `0` only if you intentionally want no automatic deletion.
Future installations may receive different dependency versions from PyPI.
Dependencies are installed from package ranges rather than exact pinned versions. This is common and the README recommends an isolated virtual environment, but exact reproducibility is weaker.
numpy>=1.20.0,<2.0.0 requests>=2.25.0,<3.0.0 opencv-python>=4.5.0,<5.0.0
For sensitive deployments, pin exact dependency versions, install only inside the skill’s virtual environment, and review package provenance.