Cameras
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: cameras Version: 1.0.1 The skill bundle is generally benign, providing functionality for camera integration and video processing using standard tools like ffmpeg, gphoto2, and cloud vision APIs. The SKILL.md explicitly promotes user-driven credential handling and warns against logging sensitive data. However, the `security-integration.md` file contains a `curl -k` command for UniFi Protect integration, which disables SSL certificate validation. This creates a Man-in-the-Middle (MITM) vulnerability, allowing potential interception and manipulation of communication with the camera system. This is a significant security flaw, classifying the skill as suspicious due to this vulnerability.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these commands are run, the agent or user may capture images from a local webcam or connected camera.
The docs show raw local tool invocation to capture camera images. This is central to the skill’s purpose and user-directed, but it can access camera hardware and write image files.
cmd = [ 'ffmpeg', '-y', '-f', 'avfoundation', ... '-frames:v', '1', ... output ] subprocess.run(cmd, capture_output=True)
Only run capture commands after confirming the intended device, output path, and user consent.
Camera URLs, passwords, and tokens could expose private camera feeds if pasted into logs, shell history, or shared conversations.
The skill expects users to provide camera access credentials. This is purpose-aligned, but those credentials can grant access to security cameras or home-security systems.
User provides camera credentials (RTSP URLs, passwords)
Prefer environment variables or a secure secret store, avoid sharing full camera URLs with embedded passwords, and use least-privileged camera accounts where possible.
Snapshots from private or security cameras may be transmitted to third-party cloud services for analysis.
The processing guide describes sending captured camera images to external vision providers such as Anthropic, Google Cloud Vision, or AWS Rekognition. This is disclosed and purpose-aligned, but it moves private imagery outside the local camera environment.
The simplest approach: capture image, send to vision model.
Confirm before sending camera images to cloud services, use local processing when privacy is important, and avoid uploading images containing sensitive people, locations, or documents unless necessary.
A monitoring setup could continue watching cameras or sending alerts longer than intended.
The docs include continuous monitoring and persistent MQTT subscription examples. They are coherent with security monitoring, but can keep operating indefinitely if implemented without explicit bounds.
while True:
frame = capture_snapshot(camera_url)
...
client.loop_forever()Set clear monitoring windows, stop conditions, notification limits, and storage-retention rules before using continuous monitoring patterns.