Back to skill
Skillv1.0.1
ClawScan security
Camera API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 24, 2026, 2:52 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (camera/cloud-event queries and screenshot workflow) matches the environment variables it requests and the runtime instructions; there are no unrelated credentials, installs, or hidden behaviors in the provided SKILL.md.
- Guidance
- This skill appears internally consistent for talking to the tange365 camera cloud API. Before installing, confirm you control the TIVS_API_KEY and TIVS_APP_ID you’ll provide and that you’re comfortable the skill can: (1) call the cloud API, (2) trigger a device screenshot command, and (3) download image content for display. Do not paste someone else’s API key; keep keys in a secure environment variable store. If you want stronger safety, test with a non-production account or a single device first and verify the API base URL (https://openapi-cn01.tange365.com/) is the service you expect.
Review Dimensions
- Purpose & Capability
- okName/description match the runtime instructions: the SKILL.md only describes cloud camera device listing, event queries, thumbnails, online status, and a screenshot polling workflow against the tange365 openapi host. The two required env vars (TIVS_API_KEY, TIVS_APP_ID) are proportional and expected for an API client for this service. No unrelated binaries, paths, or extraneous credentials are requested.
- Instruction Scope
- noteInstructions are explicit about which endpoints, methods, headers, and fields to use. They direct the agent to call the remote API, send device screenshot directives, poll for results, and (when possible) download image content rather than returning signed URLs. This is coherent with the stated purpose, but important behavioral notes: the skill will perform actions that can trigger devices (take screenshots) and may download images — ensure the user consents to those device actions and image handling. The SKILL.md explicitly forbids hardcoding credentials and returning raw signed image URLs.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files, so nothing is written to disk or pulled from third-party URLs. This is the lowest-risk install profile and matches the provided SKILL.md.
- Credentials
- okOnly two environment variables are required (TIVS_API_KEY and TIVS_APP_ID) and the SKILL.md documents their use as Authorization and X-Tg-App-Id headers. The primaryEnv matches the declared credential. No unrelated secrets, multiple service keys, or config paths are requested.
- Persistence & Privilege
- okSkill is not always-on (always: false) and does not request persistent system-level privileges or modify other skills' configuration. It can be invoked autonomously per platform default, which is expected for a callable skill; this alone is not a red flag.