Skillv1.0.0

ClawScan security

Android IP Webcam monitoring and alert · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousFeb 18, 2026, 1:42 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's high-level purpose (use IP Webcam as a motion-detection edge sensor) is plausible and most declared requirements match that purpose, but the runtime instructions reference missing scripts and leave ambiguous how/where alert frames are transmitted, so the bundle is incomplete and gives the agent broad discretion.
Guidance: This skill appears to be a reasonable IP Webcam integration in concept, but the package is incomplete and somewhat ambiguous. Before installing or enabling it: 1) demand or inspect the missing scripts (bin/sentinel_ultra_frugal.sh and bin/sentinel_runner.sh) — do not run anything until you can review their code; 2) ensure required tools are present (compare from ImageMagick, curl, awk) and add jq if you plan to use the provided example; 3) confirm where alert frames are sent and whether that destination is local-only or an external service; 4) verify your phone/IP Webcam instance is protected by local network controls and any built-in authentication; and 5) prefer running the logic on an isolated host or sandbox until you have audited the scripts. Because the bundle omits key implementation files and leaves transmission behavior unspecified, treat it as untrusted until you can review the missing pieces.

Purpose & Capability: noteThe declared binaries (compare, curl, awk) and the included apt install for ImageMagick align with a pixel-comparison motion detector. However SKILL.md examples use jq (not listed as a required binary) and the instructions reference local scripts (bin/sentinel_ultra_frugal.sh, bin/sentinel_runner.sh) that are not present in the skill bundle, making the implementation incomplete.
Instruction Scope: concernInstructions are focused on fetching snapshots, camera control, and sensor data — all within scope. But they rely on absent local scripts for core logic and are vague about where 'alert-triggered frames are sent to the AI' (no destination, no auth or endpoint described). That vagueness gives an agent broad discretion to choose destinations or behaviors not documented here.
Install Mechanism: okInstall metadata points to apt installing ImageMagick (compare). Apt + official package is a low-risk, expected install mechanism for image comparison tasks.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. That matches the described local-network camera integration; no excessive secrets are requested.
Persistence & Privilege: okalways:false (not force-included) and autonomous invocation is the platform default. The skill does not request elevated persistence or attempt to modify other skills/configs.