ClawHub

Webcam Motion Monitor

Security checks across malware telemetry and agentic risk

Overview

This webcam-monitoring skill is mostly purpose-aligned, but it can expose a live camera feed to the local network without authentication and handles identifiable images with weak privacy safeguards.

Review before installing. Only use this where you are allowed to capture the camera feed and any people in view. Before running web_preview.py, change it to bind to 127.0.0.1 or add firewall and authentication controls. Avoid storing real people’s identifying traits in MEMORY.md unless you have consent, and review the snapshot, log, and cleanup behavior so sensitive images do not remain or get exposed unexpectedly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The server binds to 0.0.0.0, making the live webcam feed reachable from other hosts on the network rather than only the local machine. In a webcam-monitoring skill, this materially increases privacy and surveillance risk because any network-reachable client can view the stream without authentication or access control.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly supports person identification from webcam snapshots and encourages maintaining identifying appearance details in MEMORY.md, but it provides no clear privacy notice, consent guidance, retention policy, or restrictions on analyzing bystanders. In a webcam-monitoring context, this materially raises surveillance and privacy risks because the collected images may contain sensitive biometric or identifying information from a home or office environment.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script automatically saves motion-triggered webcam images to a persistent directory under the user's home folder without any retention limit, consent check, access control hardening, or privacy notice in the code path. In a webcam-monitoring skill, this creates a real privacy and data-exposure risk because sensitive images may accumulate indefinitely and be accessible to other local processes or users depending on filesystem permissions and operational setup.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script silently creates queue files containing paths to newly captured webcam snapshots, which is part of a surveillance/analysis workflow handling potentially sensitive image data. In this context, lack of disclosure or consent at the point of collection increases privacy risk because users or bystanders may not realize images are being queued for downstream AI analysis.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The log message hard-codes identification of specific named people ('Jade OR Sarah') for webcam captures without any actual recognition logic, consent, or uncertainty handling. In a webcam-monitoring skill, this is especially risky because it can misattribute identity in surveillance logs and normalize unverified personal identification of people captured on camera.

Missing User Warnings

High
Confidence
98% confidence
Finding
The HTTP server is exposed on all interfaces and serves both the live stream and snapshot functionality with no authentication, authorization, or warning. In the context of a webcam monitoring tool, this turns a local device feed into a network-accessible surveillance endpoint, substantially increasing privacy and misuse risk.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal