ClawHub

SmartEye - Agent的眼睛

Security checks across malware telemetry and agentic risk

Overview

This camera-control skill matches its stated purpose, but it needs review because broad triggers and real-device actions can expose private camera views or move cameras without enough confirmation.

Install only if you intentionally want an agent to access and move your cameras. Restrict configuration to trusted internal camera IPs, protect camera-devices.json, assume saved snapshots may contain private scenes, and avoid broad/automatic invocation. Be aware that VLC live-stream use may expose camera credentials in local process arguments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The file adds a local process-launching capability unrelated to core PTZ protocol handling, expanding the skill's privileges from network camera control to arbitrary local application execution. If configuration is influenced by an attacker or untrusted source, this can be abused to launch unintended binaries or trigger credentialed RTSP connections in a local media player without sufficient review.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The code documents and attempts to add a WS-Security UsernameToken, but `_add_wsse_header` only builds a string and then does nothing (`pass`). As a result, requests may be sent without the intended authentication material, causing authentication failure and creating a dangerous mismatch between the security model claimed by the code and what is actually transmitted.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
`_ptz_envelope` claims to construct a SOAP envelope with WSSE authentication, but it emits `<soap-env:Header/>` with no security token at all. In a device-control client, this discrepancy can break authentication, encourage insecure downstream workarounds, and mislead integrators into believing PTZ commands are protected when they are not.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The module docstring claims direct execution only runs tests, but the __main__ block loads real configured cameras and calls parse_and_execute() on action strings such as pan/tilt/zoom operations. This mismatch can cause operators or developers to run the file expecting harmless tests while unintentionally triggering physical camera actions or network interactions against production devices.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases include broad everyday expressions such as '在哪里' and '有没有', which can be matched during normal conversation and unintentionally activate camera search or monitoring behavior. In the context of a skill that captures frames, opens live streams, and searches across multiple cameras, accidental invocation can cause unintended surveillance and privacy exposure.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill prominently advertises real-time stream access, frame capture, and multi-camera object search, but the security note only mentions network exposure and file permissions, not the privacy consequences of observing people, rooms, or belongings. This under-warning increases the risk that users enable or share the skill without informed consent controls, especially in homes or workplaces where camera access is highly sensitive.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
Launching VLC without any user-facing disclosure can cause unexpected local execution and network access using embedded camera credentials. In agent or automation contexts, undisclosed side effects are dangerous because they can surprise operators, leak sensitive connection details to local process listings or logs, and violate least-astonishment expectations.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The RTSP URL is constructed as rtsp://user:pass@host/... embedding credentials directly in the URI. Even though credentials are URL-encoded, this pattern is sensitive because full URLs may be exposed through logs, crash reports, process arguments, shell history, UI dialogs, or OS process inspection when later consumed by other tools such as VLC.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This module exposes functions that issue PTZ movement commands directly to a camera, enabling real-world physical actuation with no confirmation, authorization check, rate limiting, or safety interlock in this file. In an agent or automation context, misuse or prompt-driven invocation could move cameras unexpectedly, causing privacy, safety, or operational impact.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The client sends ONVIF authentication material over plain HTTP to `http://{host}:{port}/onvif/service`, exposing the WS-Security UsernameToken fields to interception or replay attempts by attackers on the network path. Although the password is not sent in cleartext, the nonce, timestamp, username, and password digest are still transmitted without transport-layer protection, making credential theft and unauthorized camera control materially more likely on untrusted networks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The method returns an RTSP URL with the username and password embedded in the authority component. Even when URL-encoded, those credentials can leak through logs, debugging output, exceptions, telemetry, copy/paste, or downstream consumers that display or persist the URL, exposing camera access.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This code launches VLC with an RTSP URL containing credentials as a command-line argument. On many systems, process command lines are visible to other local users, monitoring agents, crash reporters, shell history wrappers, or desktop tooling, making credential disclosure significantly more likely than if the secret stayed in-process.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The client always constructs URLs with `http://` and sends ONVIF control traffic and authentication-related material over plaintext transport. Even though PasswordDigest is used, the request metadata and control actions remain exposed to interception or modification by an on-path attacker, which is especially sensitive because this code controls cameras and other ONVIF devices.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal