linux-camera
v1.0.0Capture photos, record video clips, list cameras, and live stream on Linux. Uses V4L2 and ffmpeg. Supports USB webcams and RTSP/IP cameras.
⭐ 0· 317·2 current·3 all-time
byJohnny@johnnynunez
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (V4L2 + ffmpeg camera capture and streaming) align with the included Python scripts. The scripts perform listing, snapshots, clips, and live streaming as described. Minor inconsistency: registry metadata lists no required binaries, but SKILL.md explicitly requires ffmpeg and v4l-utils (these are reasonable and expected for the stated purpose).
Instruction Scope
SKILL.md instructs the agent to install ffmpeg and v4l-utils and to run the included scripts — all within the declared camera use-case. However the streaming server binds to network interfaces (HTTP server and optional RTSP re-stream) and serves outputs with Access-Control-Allow-Origin: *. The runtime instructions and examples also show passing RTSP URLs (which may include credentials). These are legitimate for streaming but are operational security concerns (exposing camera feeds and possible credential leakage).
Install Mechanism
There is no installer that downloads remote code; the package is delivered as source files and SKILL.md. No external archives or obscure URLs are fetched by an installer. The scripts rely on system packages (ffmpeg, v4l-utils) which the SKILL.md asks the user to install via apt — a normal, low-risk approach.
Credentials
The skill does not request environment variables or external credentials in metadata, which is appropriate. Caution: RTSP input examples show URLs containing user:pass@host, and these URLs may be provided as command-line arguments — such credentials can appear in process listings or logs and therefore risk exposure. Also the metadata omission of required binaries (ffmpeg/v4l-utils) should be corrected but is not malicious.
Persistence & Privilege
always is false and the skill is user-invocable only. It does not modify other skills or system-wide configs. It runs user-started processes and writes HLS segment files to disk (configurable), which is expected for this functionality.
Assessment
This skill appears to do what it says (capture and stream cameras), but consider these practical security things before installing or running it:
- Install ffmpeg and v4l-utils as the SKILL.md recommends; registry metadata should be updated to list these dependencies.
- Beware of network exposure: the streaming server listens on the host and (by default) will be reachable from other devices. If you run this on a machine with internet access, restrict binding/firewall rules or run only on a private network.
- RTSP URLs containing credentials (rtsp://user:pass@host/...) may leak secrets via process lists or logs. Prefer credentialless local devices or secure, ephemeral credentials; avoid embedding passwords on command lines.
- The HLS/RTSP outputs are unauthenticated by the script. If you need access control, add authentication or place the server behind a firewall/proxy that enforces it.
- The scripts will read /dev/video* devices and write files (e.g., /tmp or an HLS directory). Run as an appropriate user and ensure camera/device permissions are correct.
- If you need stronger assurances, review the included scripts locally (they are readable) and run them in a controlled environment (isolated network or container) before exposing to wider networks.Like a lobster shell, security has layers — review code before you run it.
latestvk97a93s2rr66renhtw0frd7v3d82kz78
License
MIT-0
Free to use, modify, and redistribute. No attribution required.