ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

raspberry-pi-camera-service

v1.0.0

提供使用摄像头拍照, 录制视频或直接生成gif的能力。何时触发: 需要拍照时, 需要观察一段时间当前视野时, 需要关注某件事情的进展时.

0· 394·0 current·0 all-time
by@cld1994
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code, client, and deploy scripts implement exactly a Pi camera HTTP service (Picamera2 + FFmpeg + FastAPI) as described. However the declared skill metadata lists no required binaries or env vars even though the runtime needs Python3, systemd (for the install script), ffmpeg (for USB / conversion), and (optionally) picamera2 for CSI cameras. This mismatch (metadata says nothing required but files clearly expect these components) is an incoherence to be aware of.
!
Instruction Scope
The runtime instructions and code restrict activity to camera control, file creation in an output dir, and local HTTP API interactions — no hidden external endpoints or credential exfiltration are present. However the included deployment/template .env uses HOST=0.0.0.0 by default, so the service will be network-accessible unless you change it or firewall it; the service also supports persistent background conversion and a heartbeat mechanism that can keep recordings active for extended periods. These networking and persistence behaviors increase exposure and should be configured intentionally.
!
Install Mechanism
There is no formal install spec in the registry, but the bundle includes deploy/install.sh which is a root-run installer that: creates /opt/camera-service, writes systemd unit files, enables and starts a service, copies files, creates a virtualenv, and (notably) installs a camera-client package into the system Python using 'pip install ... --break-system-packages'. It does not download code from unknown third-party hosts, but it performs privileged, system-wide modifications; running it without review is risky.
Credentials
The skill does not declare any required credentials and the code does not attempt to read secrets or unrelated system config. It does read a .env for HOST/PORT/OUTPUT_DIR and uses PATH/PYTHONPATH in the systemd unit. One minor inconsistency: registry metadata lists no required env vars or binaries, but the service expects OUTPUT_DIR, ffmpeg, and optionally picamera2/picamera hardware — these are normal for the stated purpose but should be declared.
!
Persistence & Privilege
The installer sets up a systemd service (Restart=always, enabled at boot) and installs a client package into system Python (pip --break-system-packages). Creating an auto-starting system service and modifying system packages are reasonable for a long-running hardware service, but they are privileged actions; the combination of system-wide package installation and enabling a daemon increases blast radius if the code is later modified or contains vulnerabilities. 'always' is false (good), but the installer still grants persistent presence.
What to consider before installing
This bundle appears to implement the claimed Pi camera service, but take care before installing: - Review the install script (scripts/deploy/install.sh) line-by-line. It must be run as root and will create a systemd unit and write to /opt and /etc. Do not run it blindly. - Expect real prerequisites: python3, ffmpeg (for USB & conversions), and picamera2 (for CSI). The metadata does not list these — ensure they are present and trusted. - The default .env/template uses HOST=0.0.0.0 (network-exposed). If you don't want the service reachable from other hosts, change HOST to 127.0.0.1 or apply firewall rules. - The installer installs a client package into the system Python using --break-system-packages; prefer avoiding system-wide installs (inspect and modify install.sh to only install into the service venv or manually install the client in a controlled way). - If you proceed, test in an isolated Raspberry Pi or VM first. Confirm the service binds to the intended host/port, check file permissions on the output directory, and audit the code locally (service.py and deploy scripts) before granting root privileges.

Like a lobster shell, security has layers — review code before you run it.

latestvk973apt5j1yfajjmtzfzzeet3182mdpe

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments