Frameo Photo Frame Control
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches its Frameo-control purpose, but its cloud client uses account tokens for state-changing calls while the documentation presents the cloud method as read-only.
Review this skill before installing. Only use it if you are comfortable giving it Frameo account/token access and ADB control of the frame. Protect or remove ~/.frameo_token, disable wireless ADB after use, and confirm any send, delete, reboot, or registration action before allowing the agent to run it.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the cloud client may change Frameo account/client state, and cloud photo upload attempts may occur when --send is used, even if the user expects the cloud method to be read-only.
The script automatically calls a state-changing client-registration POST before normal operations, and also contains cloud upload POST attempts, while SKILL.md describes the cloud API path as limited/read-only for listing frames and account info.
token = get_token()
register_client(token)
...
def register_client(token):
r = requests.post(f"{BASE_API}/v1/managed-pairings/client", ...)
...
r = requests.post(endpoint, headers=headers, files=files, data=data)Document every state-changing cloud action clearly, require explicit approval before POST/upload actions, avoid automatic registration during read-only operations, and require a specific frame ID before sending photos.
Anyone who can read the cached token file may be able to use the Frameo account/session until the token is revoked or expires.
The skill uses Frameo account credentials and requests refresh-capable OAuth access, then stores token data in a local token file. This is expected for a Frameo API integration, but it is sensitive account access.
FRAMEO_EMAIL = os.environ.get("FRAMEO_EMAIL", "")
FRAMEO_PASSWORD = os.environ.get("FRAMEO_PASSWORD", "")
...
"scope": "offline_access email profile"
...
TOKEN_FILE = Path.home() / ".frameo_token"Use environment variables rather than hardcoding credentials, keep ~/.frameo_token private with restrictive file permissions, and delete or revoke the token when no longer needed.
A mistaken ADB command could delete photos, change device settings, reboot the frame, or leave wireless debugging reachable on the local network.
The documented ADB workflow enables wireless device control and includes destructive or disruptive frame actions. These commands are aligned with full frame control, but they are high-impact.
adb tcpip 5555 ... adb shell rm /sdcard/Frameo/*.jpg ... adb reboot
Only run ADB commands after confirming the target device and action, avoid bulk delete commands unless intended, and disconnect or disable wireless ADB after use.
The installed dependency versions may vary over time, and users must trust the package source used by pip.
The skill relies on manual installation of unpinned Python packages rather than a reviewed or pinned install specification.
Install: `pip3 install requests pillow`
Install in a virtual environment, use trusted package indexes, and consider pinning known-good dependency versions.