TG Cam Skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent camera-service skill, but it needs camera API credentials and can retrieve sensitive snapshots and event images from bound devices.
Install only if you trust the TG Cam service and the `skill.webcamapp.cc` API. Provide credentials through the official app/configuration path, do not expose the API key in shared chats, confirm which camera is being accessed, and remember that snapshots and event images may reveal private spaces.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent session with these credentials may be able to access camera device information, snapshots, event history, and images through the service.
The skill requires and stores service credentials that authorize access to the user’s bound camera devices.
`TIVS_CLI_ID`:摄像头 Skill 服务分配的 `cli_id`; `TIVS_API_KEY`:摄像头 Skill 服务分配的 `cli_api_key` ... `X-Api-Key: $TIVS_API_KEY` ... 请将其写入 `openclaw.json`
Use credentials only from the official camera app, avoid sharing them in public/shared chats, and revoke or rotate the API key if it may have been exposed.
A snapshot request can capture a current camera image and may incur storage or traffic cost.
The snapshot endpoint can actively trigger a camera capture, which is expected for this skill but is a sensitive device action.
`POST /api/v1/skill/device/snapshot` ... `由服务器先给设备下发截图指令` ... `截图会产生一定存储和流量成本,不要频繁调用`
Confirm the target device before requesting snapshots and avoid repeated or ambiguous snapshot requests.
Camera images or event images may be visible in the conversation or to anyone with access to the agent session.
The skill handles signed camera image URLs and displays image content, so sensitive camera media flows through the agent/chat experience.
`图片 URL 可能带签名参数;需要访问时必须使用完整 URL` ... `默认不要把原始图片 URL 直接发给用户;优先获取图片内容后再展示。`
Use the skill only in trusted conversations and avoid forwarding raw signed URLs or camera images unless intended.
Users have less information to independently verify the publisher or service before granting camera access.
The registry metadata does not provide a source repository or homepage, which limits provenance checking for a skill that uses sensitive camera credentials.
Source: unknown; Homepage: none
Verify the skill and `skill.webcamapp.cc` through the official camera app or vendor channel before installing.