node-camera

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed camera-control tool for a paired Node device, with expected privacy-sensitive camera streaming and image retention behavior.

Install only on Node devices where camera monitoring is intended. Use single-frame capture when possible, start live streaming only when needed, stop or close the stream afterward, and avoid capturing sensitive spaces unless the Node network and image URLs are trusted.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill documentation exposes clear network, file-read, and file-write behavior by serving and retaining JPEG images over an embedded HTTP server, but it does not declare corresponding permissions or trust boundaries. Missing permission declarations can mislead reviewers and users about the skill’s actual access scope, reducing informed consent and making abuse of camera-derived files and network exposure easier to overlook.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal