ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

i-can-see

v1.0.0

赋予OpenClaw视觉能力,让他能够“看见世界”。当用户要求“看看”、“你看到了什么”、“拍张照”时激活此技能。通过调用capture.py连接ESP32-CAM拍照,并进行图像分析。

0· 67·0 current·0 all-time
bylibai@libaibuzai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included capture.py script and SKILL.md: both describe contacting an ESP32-CAM, saving a JPEG, and passing it to the agent's image analysis. The requirement to install the Python requests library is appropriate for the script.
Instruction Scope
Instructions are narrowly scoped to taking a picture and reading the saved file. However, SKILL.md instructs running the script via an absolute path (/Users/mac/.openclaw/...), and the script and docs hardcode a device URL (http://192.168.31.241/capture). These are operational assumptions that may not match the user's environment and should be adjusted, but they are not evidence of malicious behavior.
Install Mechanism
No install spec; the skill is instruction-only plus a single small Python script. This is low-risk: nothing is downloaded or extracted during install.
Credentials
The skill requests no environment variables, credentials, or config paths. The single network call is to a local IP consistent with contacting an ESP32-CAM; no tokens or secrets are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence or modifications to other skills or system config. It simply writes an image file to a user-specified path.
Assessment
This skill appears to do exactly what it says: call a local ESP32-CAM and save the image. Before installing or running it, verify the device IP (192.168.31.241) matches your camera or change the script to your device address; update the SKILL.md command to use a relative or configurable path instead of the hardcoded /Users/mac path; ensure you trust the skill source and run it in a directory where writing images is acceptable. Because the script makes an HTTP GET to a local IP, run it only on networks where contacting that device is intended. If you want tighter control, modify capture.py to accept the camera URL as an argument and to validate the response size/type before saving.

Like a lobster shell, security has layers — review code before you run it.

latestvk977b1032tqjer0eaqrk97gbx983kn65

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments