xxx

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward camera-capture skill, with expected privacy and credential handling risks that users should manage carefully.

Install only if you trust the camsnap Homebrew tap and its dependencies. Use a limited camera account, avoid placing real passwords in shared shell history or transcripts, restrict permissions on the config file, store captures deliberately, and only configure motion-watch actions you intend to run.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explicitly demonstrates passing camera credentials on the command line and storing them in a config file without any warning about their sensitivity. Command-line credentials may be exposed through shell history, process listings, logs, or transcripts, and plaintext camera credentials in config files can enable unauthorized surveillance access if the host is compromised or shared.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal