Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Cameras
v1.0.1Connect to security cameras, capture snapshots, and process video feeds with protocol support.
⭐ 2· 776·0 current·0 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Declared purpose (connect to cameras, capture snapshots, process video) matches required binary ffmpeg and optional camera tooling. However the documentation also instructs use of multiple cloud vision APIs (Anthropic, Google Cloud Vision, AWS Rekognition), Ring/Nest APIs, Home Assistant tokens, and Frigate/MQTT — none of these credentials or endpoints are declared in the skill metadata. Examples also show ONVIF with plaintext creds. The presence of many external integrations without declared credential requirements is an incoherence.
Instruction Scope
SKILL.md and included files provide concrete commands and agent code that will capture images, run subprocesses, discover networked cameras (ONVIF), subscribe to MQTT, and send images to external vision services. While that is within a camera skill's remit, the instructions reference environment variables and tokens (e.g., CAMERA_FRONT_URL, HA_TOKEN, Ring refreshToken, AWS/Google creds, Anthropic client) that are not declared. The skill claims it will not run captures automatically, yet processing.md contains sample loops for periodic monitoring and event-driven MQTT handling — a scope contradiction that could enable continuous capture if implemented by an agent.
Install Mechanism
Instruction-only skill with no install spec and no code files. That keeps the on-disk footprint small and is lower risk than arbitrary downloads or install scripts.
Credentials
The skill requests no environment variables in metadata but the runtime instructions repeatedly reference env vars and external service tokens (Anthropic, Google, AWS, Home Assistant, Ring, Frigate, MQTT credentials). This mismatch means sensitive credentials are implied by the instructions but not declared or scoped, which increases the chance of accidental credential exposure or unclear authorization boundaries.
Persistence & Privilege
Skill metadata does not request always: true and uses normal model-invocation defaults. Still, the documentation includes patterns for continuous monitoring and MQTT subscription; if an agent implements those autonomously, that increases blast radius. The skill claims 'does NOT run captures automatically' but supplies example code that would — a small but important contradiction to resolve.
What to consider before installing
This skill mostly does what it says (ffmpeg-based capture and local processing) but you should verify a few things before installing: 1) Ask the publisher to list exactly which environment variables and tokens the skill will ask for and why (Anthropic/Google/AWS/HomeAssistant/Ring/Frigate/MQTT). 2) Confirm whether the agent will ever run periodic monitoring or subscribe to MQTT autonomously — require explicit opt-in for continuous captures. 3) Prefer local processing (Frigate/OpenCV) and avoid sending raw snapshots to cloud services unless you understand where they go; if you must use cloud APIs, create limited-scope service accounts / short-lived tokens and rotate them. 4) Test in an isolated network or VLAN with test cameras first, and ensure the agent (or platform) will not log or persist RTSP URLs or credentials. 5) If you need stronger assurances, request an explicit list of outbound endpoints the skill will contact and a privacy/security policy from the author.Like a lobster shell, security has layers — review code before you run it.
latestvk970fmceh1stmcyxbrx1m68ycn819dec
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📷 Clawdis
OSLinux · macOS
Binsffmpeg