Back to skill

Security audit

Kami Image Search

Security checks across malware telemetry and agentic risk

Overview

This camera-search skill is purpose-aligned, but it needs review because it processes sensitive home-camera imagery through a cloud API, runs background capture, and under-scopes credential and activation risks.

Install only if you are comfortable sending camera frames, imported images, and search text to Kamivision’s cloud API. Use it only with cameras you own or are authorized to monitor, treat RTSP URLs and the API key as secrets, restrict permissions on image_config.json and logs, review retention settings, and start background capture only when you intend continuous monitoring.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (28)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no permissions even though the documented behavior clearly includes shell execution, local file read/write, and network access to cameras and a cloud API. This weakens user consent and platform enforcement because a user may install a camera-processing skill without being explicitly warned about its ability to access local files, launch scripts, and transmit data off-device.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The skill description understates several sensitive behaviors: uploading images and queries to an external cloud service, importing arbitrary local image directories, running long-lived background capture processes, and maintaining local indexes and retained image history. For a camera/home-monitoring skill, these omissions materially affect privacy and trust because users may not understand the full extent of collection, storage, and external transmission.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill captures or imports private camera images, then sends them to a remote AI service for description and embedding, but the user-facing metadata does not clearly disclose this cloud transmission. In a smart-home camera context, that omission is security-relevant because users may assume all analysis is local while sensitive household imagery is uploaded externally.

Description-Behavior Mismatch

Low
Confidence
86% confidence
Finding
The published description emphasizes image search, but the code also supports continuous background camera capture and daemon management. In a home-surveillance setting, under-describing always-on capture behavior can materially mislead users about the scope of monitoring and increase privacy risk.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The setup script can invoke `sudo apt update && sudo apt install ...` to install system-wide build dependencies, which exceeds the expected scope of a camera/image-search skill installer. Even though it is gated behind an interactive prompt, it still asks the user to grant elevated privileges and modifies the host outside the skill's isolated environment.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly states that captured camera frames and imported local images are sent to the Kamivision cloud API for description and embedding generation, but it does not clearly warn users that potentially sensitive home surveillance data will leave the local environment. In the context of a smart-home image search skill, this omission can lead users to unknowingly upload private images of people, interiors, and belongings to a third-party service, creating privacy, compliance, and trust risks.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README provides examples for RTSP URLs containing embedded credentials and instructs users to place API keys in configuration without warning that these values are sensitive secrets. In a home-camera skill, exposed stream URLs or API keys could enable unauthorized camera access, cloud API abuse, or accidental leakage through screenshots, logs, shell history, version control, or shared config files.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad phrases such as 'search image', 'find image', 'search camera', and 'check camera' that are likely to occur in normal conversation or overlap with other assistant capabilities. In a security-sensitive context involving cameras and cloud processing, accidental invocation could expose visual history, start camera-related actions, or send user queries to the vendor API without clear intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The call site sends base64-encoded image contents to a cloud API without any user-facing warning or consent prompt nearby in the flow. Because these are camera frames and imported photos from a smart-home environment, silent external transmission of sensitive visual data creates a significant privacy and compliance risk.

Missing User Warnings

Low
Confidence
83% confidence
Finding
Natural-language search queries are transmitted to a remote embedding service without an explicit warning, which may expose sensitive user intents or household activity information. While generally less sensitive than raw images, query text in this context can still reveal private surveillance interests or events.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
echo ""
        read -p "Install build dependencies with sudo? [y/N] " confirm
        if [[ "$confirm" =~ ^[Yy]$ ]]; then
            sudo apt update && sudo apt install -y \
                make build-essential libssl-dev zlib1g-dev \
                libbz2-dev libreadline-dev libsqlite3-dev \
                libncursesw5-dev xz-utils tk-dev libxml2-dev \
Confidence
98% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
echo ""
        read -p "Install build dependencies with sudo? [y/N] " confirm
        if [[ "$confirm" =~ ^[Yy]$ ]]; then
            sudo apt update && sudo apt install -y \
                make build-essential libssl-dev zlib1g-dev \
                libbz2-dev libreadline-dev libsqlite3-dev \
                libncursesw5-dev xz-utils tk-dev libxml2-dev \
Confidence
98% confidence
Finding
sudo

Unpinned Dependencies

Low
Category
Supply Chain
Content
opencv-python-headless
numpy
requests
Pillow
Confidence
96% confidence
Finding
opencv-python-headless

Unpinned Dependencies

Low
Category
Supply Chain
Content
opencv-python-headless
numpy
requests
Pillow
faiss-cpu
Confidence
96% confidence
Finding
numpy

Unpinned Dependencies

Low
Category
Supply Chain
Content
opencv-python-headless
numpy
requests
Pillow
faiss-cpu
hypothesis
Confidence
96% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
opencv-python-headless
numpy
requests
Pillow
faiss-cpu
hypothesis
Confidence
97% confidence
Finding
Pillow

Unpinned Dependencies

Low
Category
Supply Chain
Content
numpy
requests
Pillow
faiss-cpu
hypothesis
Confidence
93% confidence
Finding
faiss-cpu

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
Pillow
faiss-cpu
hypothesis
Confidence
88% confidence
Finding
hypothesis

Known Vulnerable Dependency: opencv-python-headless — 10 advisory(ies): CVE-2019-14493 (NULL Pointer Dereference in OpenCV.); CVE-2019-9423 (Out-of-bounds Write in OpenCV); CVE-2019-14491 (Out-of-bounds Read in OpenCV) +7 more

High
Category
Supply Chain
Confidence
86% confidence
Finding
opencv-python-headless

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical
Category
Supply Chain
Confidence
68% confidence
Finding
numpy

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
81% confidence
Finding
requests

Known Vulnerable Dependency: Pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
90% confidence
Finding
Pillow

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
86% confidence
Finding
The trigger 'search image' overlaps with a generic built-in search command and increases the chance of accidental routing into this skill. Because the skill can query camera history and send requests to a cloud API, command shadowing is more than a usability issue and can lead to unintended data access or transmission.

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
86% confidence
Finding
The trigger 'find image' conflicts with the generic built-in 'find' intent and may cause unintended invocation of this skill. In this context, that could surface camera-derived results or send search terms externally without the user's clear awareness that a third-party camera skill was activated.

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
85% confidence
Finding
The trigger 'search camera' conflicts with general search semantics and is broad enough to be invoked unintentionally during normal assistant use. Since this skill operates on sensitive home camera footage and may contact a cloud API, ambiguous activation increases privacy risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.