Back to skill

Security audit

Kami Fall Detection

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it claims, but it handles home-camera footage and credentials with several under-disclosed external data flows and an install script that can delete a conda environment without confirmation.

Review before installing. Use only cameras and notification channels you have consent to monitor, assume motion-triggered clips leave your machine for KamiClaw analysis, disable local clip saving if you do not need it, and avoid Feishu webhook image fallback unless you are comfortable with the sm.ms upload path. Run setup in an environment where deleting a conda env named kami-fall would not matter, and prefer explicit tokens in this skill's config over implicit reuse from ~/.openclaw.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation describes capabilities that include reading environment variables, reading and writing local files, executing shell commands, and making network requests, but it does not declare corresponding permissions. This creates a transparency and consent problem: an agent or user may authorize the skill without understanding it can access secrets, modify configuration, invoke commands, and transmit data off-host. In a security-sensitive context involving camera streams and API keys, undeclared capabilities materially increase the risk of secret exposure and unintended system changes.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared purpose focuses on cloud fall detection from RTSP streams, but the documented behavior expands into multiple third-party notification and image-upload channels, including reading notification credentials from local OpenClaw config and uploading images to external services. That mismatch is dangerous because users may believe they are authorizing only fall analysis while the skill can also exfiltrate screenshots or credentials to additional services beyond the primary vendor. In a home-monitoring skill, this increases privacy and secret-handling risk substantially.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The README materially expands the documented capability set from fall detection plus Feishu alerts into Telegram/Discord integrations and even optional two-way communication. Scope expansion is security-relevant because operators may deploy extra messaging surfaces, tokens, and gateway services that were not clearly part of the skill’s stated purpose, increasing attack surface and risk of secret leakage or misuse.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The documentation introduces two-way messaging and gateway-service language unrelated to the core function of cloud fall detection. Even as documentation-only content, this nudges users toward deploying additional bot credentials and interactive services, which broadens the trust boundary and can create unintended command-and-control or data exfiltration paths.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
When Feishu app credentials are unavailable, the code uploads posture images to `sm.ms`, an unrelated public third-party image host. In the context of fall detection for elderly monitoring, these images can contain highly sensitive personal/medical data, creating a serious privacy and compliance risk through unintended external disclosure.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation understates data-handling behavior by implying safer fallback options, while the implementation can publish alarm images to `sm.ms`. This mismatch is dangerous because operators may deploy the skill without realizing sensitive fall images can be sent to a public third party.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README states that video clips are uploaded to a cloud API for analysis but does not provide an explicit privacy notice, data-handling description, or user-consent warning. Because the content involves surveillance footage and elderly-care monitoring, omission of retention, sharing, and jurisdiction details creates substantial privacy and compliance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README advertises automatic alarm clip saving and detailed logs without warning that sensitive surveillance footage and incident metadata will be retained locally. In a home/elder-care context, persistent storage of fall events, RTSP sources, timestamps, and clips can expose highly sensitive personal data if the host is shared, backed up, or compromised.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The notifier transmits fall-alarm metadata and optionally an image file to Discord, which is a third-party service, without any in-code consent gate, warning, or privacy-control mechanism. In the context of elderly/home monitoring, these payloads may contain sensitive surveillance data, making undisclosed external transmission a meaningful privacy and compliance risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The Bot API path sends monitoring details such as fall type, confidence, timestamp, reason, and potentially an attached image to a Discord channel, again without an explicit disclosure or confirmation mechanism. Because this skill handles home-camera fall detection, sending event data to an external chat platform can expose sensitive personal and location/activity information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill base64-encodes captured RTSP video clips and uploads them to an external cloud API for analysis. Because this involves transmission of potentially sensitive in-home camera footage, lack of a clear user-facing disclosure and consent mechanism creates a significant privacy and compliance risk.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The module may transfer alarm images to a third-party public host without any explicit warning, consent prompt, or visible configuration gate. Because this skill processes surveillance-derived fall images, silent upload materially increases the risk of privacy violations, data leakage, and regulatory exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script automatically deletes and recreates an existing conda environment when the Python version does not match 3.10.x, using `conda env remove -y` without any confirmation or backup. This can destroy a user's installed packages and environment state unexpectedly, which is a real safety issue even if not an exploit in the classic sense.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The test harness prints the first part of the Telegram bot token to stdout, which discloses credential material into terminal history, logs, CI output, or screenshots. Even partial secret disclosure aids token fingerprinting and can expose enough information to correlate or mishandle credentials.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
7. Optionally run `python fall_detect_cloud_skill.py --list_cameras` to confirm the resolved camera list.
8. Run the skill.

**Never run with an empty `api_key`. Never run with `cameras` empty. When the user has multiple cameras, never accept missing/duplicate names — re-prompt until each camera has a unique label. Never ask the user to manually edit config.json.**

---
Confidence
84% confidence
Finding
Never ask the user

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
opencv-python-headless>=4.7.0
numpy>=1.23.0
Confidence
89% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
opencv-python-headless>=4.7.0
numpy>=1.23.0
Confidence
89% confidence
Finding
opencv-python-headless>=4.7.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
opencv-python-headless>=4.7.0
numpy>=1.23.0
Confidence
86% confidence
Finding
numpy>=1.23.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
76% confidence
Finding
requests

Known Vulnerable Dependency: opencv-python-headless — 10 advisory(ies): CVE-2019-14493 (NULL Pointer Dereference in OpenCV.); CVE-2019-9423 (Out-of-bounds Write in OpenCV); CVE-2019-14491 (Out-of-bounds Read in OpenCV) +7 more

High
Category
Supply Chain
Confidence
78% confidence
Finding
opencv-python-headless

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical
Category
Supply Chain
Confidence
67% confidence
Finding
numpy

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.