Back to skill
Skillv1.0.0
VirusTotal security
Ipcam · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:57 AM
- Hash
- 9b4185a88e5b53d05137c274f14af121756d83a7ec1e079c6110fbb15cd2b9ca
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ipcam Version: 1.0.0 The skill is classified as suspicious due to two primary security risks, though without clear malicious intent. First, the `install.sh` script uses `sudo apt-get install -y ffmpeg`, which requires elevated privileges and represents a privilege escalation vulnerability if the agent executes it without explicit user consent. Second, both `camera.sh` and `ptz.py` read and utilize camera `username` and `password` stored in plaintext within `~/.config/ipcam/config.json`. While this is necessary for the skill's functionality and not an act of exfiltration, storing credentials in plaintext locally is a significant security vulnerability, making them susceptible to compromise if the local system is breached. The `SKILL.md` and other documentation do not contain prompt injection attempts or instructions for malicious behavior, and the shell scripts use proper quoting to mitigate direct shell injection risks.
- External report
- View on VirusTotal