Skillv1.0.0

ClawScan security

ESP32-CAM Eyes · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 3:01 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only guide for flashing and running ESP32‑S3 camera firmware; its requirements and instructions are coherent with the stated purpose and there is no sign of hidden exfiltration or unrelated credential access.
Guidance: This guide appears coherent and linked to its stated purpose, but review the code before flashing: 1) The firmware requires your WiFi SSID/password — avoid hard-coding secrets into repos; prefer entering them locally or using a secure config file. 2) Follow the PlatformIO install in an isolated environment (virtualenv or user install) rather than using --break-system-packages to avoid altering system packages. 3) Be mindful of network exposure: the device runs an HTTP server on port 80, so if you attach it to a network with internet access consider firewall rules, router configuration, or use a private LAN/VLAN to prevent unintended access. 4) Verify device model/PID before choosing firmware (the guide emphasizes this); flashing incorrect configs can brick devices. Overall there is no indication of malicious instructions or external data exfiltration in the provided files.

Review Dimensions

Purpose & Capability: okName/description (ESP32-CAM setup and HTTP camera server) match the included instructions and firmware source. Required tools (PlatformIO, esptool, pyserial) and steps (serial port detection, flashing, WiFi config) are appropriate for this hardware-focused task.
Instruction Scope: noteThe SKILL.md and setup-guide instruct the agent/user to read local serial output, create and flash firmware, and embed WiFi SSID/password into the source before flashing. Those actions are necessary for flashing and connecting the device, but the guide directs inserting WiFi credentials into code (which has security/privacy implications) and reads /dev serial devices — both are expected for this purpose but worth noting.
Install Mechanism: noteThis is instruction-only (no install spec), so nothing is written by the skill itself. The guide tells users to pip-install PlatformIO/esptool/pyserial and warns that PlatformIO will download a large toolchain (~1.5–2GB). The pip invocation includes --break-system-packages, which can be intrusive on some Linux systems; using a virtualenv or user install is a safer alternative.
Credentials: noteThe skill declares no required environment variables or credentials, which aligns with a local hardware setup. However, the instructions require you to supply your WiFi SSID and password by placing them into the firmware source before flashing — this is necessary for operation but is sensitive and should be handled carefully (don't commit secrets to public repos, prefer runtime config or secure provisioning when possible).
Persistence & Privilege: okalways is false and the skill is user-invocable only. There is no code that attempts to modify other skills or system-wide agent settings. The skill does not request persistent/privileged presence.