vispatrol-picture

Security checks across malware telemetry and agentic risk

Overview

This is a real VisPatrol camera-snapshot tool, but it uses a local session token to trigger camera captures and save sensitive images with some authority that is not fully enforced or scoped in code.

Install only on a trusted Windows VisPatrol host where you intentionally approve use of %TEMP%/vpup.json. Confirm all-device captures separately, restrict where snapshots are saved or sent, treat outputs as sensitive surveillance data, and delete saved images when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill declares no explicit permissions, yet its documented behavior includes reading local files, writing snapshot images, using environment variables, making network requests, and invoking shell-related utilities in WSL/Windows contexts. This creates a misleading trust boundary for operators and reviewers, increasing the chance that sensitive local access and network activity are enabled without informed approval.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The skill claims a narrow, read-only snapshot-query purpose, but the documented behavior expands into creating media streams and snapshot tasks, persisting downloaded files, caching device status/RTSP data, and exposing sensitive device metadata including usernames and passwords. Even if intended for legitimate operation, this mismatch hides materially broader capabilities and increases the risk of credential exposure, unintended device interaction, and overcollection of sensitive surveillance data.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill collects the host MAC address and transforms it into a key used to decrypt the token from `vpup.json`, which exceeds a simple read-only snapshot query and creates a host-fingerprinting capability. This is dangerous because it silently binds local machine identity to credential recovery, increasing privacy risk and enabling access to privileged surveillance APIs without a clearer consent boundary.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The implementation materially exceeds the manifest's stated behavior: instead of a read-only query, it creates media streams, triggers snapshot tasks, downloads images, and persists files locally. This mismatch is dangerous because users and orchestration layers may grant the skill narrow access based on the description while the code performs active surveillance actions and writes collected data to disk.

Scope Creep

High

Confidence: 98% confidence
Finding: The code writes downloaded snapshot images to a local output directory (`~/.openclaw/workspace/tmp_files/` by default or caller-supplied path), which goes beyond the manifest's declared read-only access to `%TEMP%/vpup.json`. Persisting surveillance images locally increases data exposure, retention risk, and the chance that sensitive camera captures are accessed by other local processes or users.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: `query_snapshots` is described as a query function, but when provided a device it performs active capture operations. This semantic mismatch is dangerous because callers may invoke it under the assumption of passive retrieval, leading to unauthorized camera interaction and unexpected evidence collection.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: `execute_full_query` is documented as a query workflow but actually performs device enumeration, active snapshot triggering, downloading, and optional materialization from URLs. In a surveillance context, misleading workflow naming and documentation weakens operator awareness and can cause overbroad execution under insufficient consent.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script reads `vpup.json`, extracts the encrypted token, derives a decryption key from host identity, and decrypts the credential without any user-facing warning or consent check in code. This is dangerous because it silently converts local config material into usable authentication for backend services, expanding the skill from configuration reading into credential access and authenticated surveillance operations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal