ClawHub

Cameras

Security checks across malware telemetry and agentic risk

Overview

This camera skill appears purpose-aligned, but it handles sensitive camera images and includes examples that upload or fetch footage without enough privacy and transport-safety guardrails.

Review before installing. Use it only for cameras you are authorized to access, avoid uploading private footage to cloud vision providers unless everyone affected has consented and you understand provider retention/logging, delete saved snapshots or clips when no longer needed, and replace any curl -k style examples with proper TLS certificate validation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill provides multiple examples for capturing webcam, phone-camera, and IP camera images and videos and writing them to disk, but never warns that these actions are privacy-sensitive or that saved artifacts may persist on the filesystem. In an agent context, this increases the risk of silent collection or retention of sensitive visual data from users or nearby environments without informed consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This example sends a security camera snapshot to a third-party vision API without an explicit, in-context warning that potentially sensitive surveillance imagery leaves the device and is transmitted to an external provider. In a security-camera skill, users may process footage containing faces, homes, license plates, or bystanders, so omission of a clear warning can lead to unintended privacy exposure and policy noncompliance.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Google Cloud Vision and AWS Rekognition examples read local image files and submit their contents to external cloud APIs, but the documentation does not clearly warn that camera images are being uploaded off-device. In the context of security cameras, this increases the chance that operators unknowingly transmit sensitive footage to third parties, creating privacy, compliance, and data-handling risks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The examples show how to access live camera feeds and snapshots from Home Assistant, Frigate, Ring, Nest, and UniFi without any notice about consent, privacy boundaries, retention, or who may be visible in the images. In a camera-integration skill, this omission increases the risk that users or downstream agents will collect or inspect surveillance data in ways that violate privacy expectations or policy.

Missing User Warnings

High
Confidence
97% confidence
Finding
The agent flow explicitly sends a camera snapshot to a vision model for analysis without warning that private images may leave the local camera system and be processed by a third-party or remote model provider. This creates a meaningful risk of unauthorized disclosure of sensitive visual data, including occupants, visitors, children, or interior spaces.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal