ClawHub

jf-open-pro-local-record

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This camera-recording skill is purpose-matched, but it handles device credentials and long-lived surveillance media URLs with insufficient endpoint scoping and privacy guidance.

Install only if you trust the publisher and will set JF_ENDPOINT to an official JFTech regional host. Treat device tokens, app secrets, device passwords, playback URLs, download URLs, and alarm-image URLs as secrets, since they can expose private surveillance footage or device access.

SkillSpector (6)

By NVIDIA

Tainted flow: 'url' from os.getenv (line 197, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
}
    }
    
    response = requests.post(url, headers=headers, json=body, timeout=30)
    result = response.json()
    
    if result.get("code") != 2000:
Confidence
94% confidence
Finding
response = requests.post(url, headers=headers, json=body, timeout=30)

Tainted flow: 'url' from os.getenv (line 197, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
}
    }
    
    response = requests.post(url, headers=headers, json=body, timeout=30)
    result = response.json()
    
    if result.get("code") != 2000:
Confidence
94% confidence
Finding
response = requests.post(url, headers=headers, json=body, timeout=30)

Tainted flow: 'url' from os.getenv (line 197, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
"playPrioritize": play_prioritize
    }
    
    response = requests.post(url, headers=headers, json=body, timeout=30)
    result = response.json()
    
    if result.get("code") != 2000:
Confidence
96% confidence
Finding
response = requests.post(url, headers=headers, json=body, timeout=30)

Tainted flow: 'url' from os.getenv (line 197, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
"fileName": file_name
    }
    
    response = requests.post(url, headers=headers, json=body, timeout=30)
    result = response.json()
    
    if result.get("code") != 2000:
Confidence
93% confidence
Finding
response = requests.post(url, headers=headers, json=body, timeout=30)

Tainted flow: 'url' from os.getenv (line 197, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
"stream": stream
    }
    
    response = requests.post(url, headers=headers, json=body, timeout=30)
    result = response.json()
    
    if result.get("code") != 2000:
Confidence
90% confidence
Finding
response = requests.post(url, headers=headers, json=body, timeout=30)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation describes obtaining time-limited playback, download, and alarm image URLs for device recordings without any privacy, retention, sharing, or access-control warnings. Because these URLs expose surveillance footage and alarm snapshots, mishandling them could leak sensitive video data to unauthorized users, especially since the docs note long validity windows such as 10 hours.

Static analysis

Env credential access

Critical
Finding
Python code POSTs credential environment variables to an environment-controlled URL.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal