Synology Surveillance
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill appears purpose-aligned, but it requires high-impact surveillance-camera credentials, weakens account protections, and can change camera recording/PTZ state without documented approval safeguards.
Review carefully before installing. If you use it, create a dedicated low-privilege Surveillance Station account, use HTTPS, avoid plaintext passwords, protect generated images and stream URLs, and require confirmation before any recording or PTZ changes.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these credentials are exposed or misused, an agent or another local reader could access or control surveillance cameras.
The skill directs users to disable 2FA for the API account and place camera/NAS credentials in a local instructions file, which creates a high-impact credential exposure and privilege boundary risk.
**2FA deaktiviert** für den API-Benutzer ... Füge die Verbindungsdaten zu `TOOLS.md` hinzu ... **User:** surveillance_user ... **Pass:** dein_passwort
Use a dedicated least-privilege Surveillance Station account, avoid plaintext password storage, prefer a secrets manager or scoped environment variables, enable HTTPS, and document exactly why 2FA must be disabled.
A mistaken or autonomous invocation could change recording state or camera direction, affecting security coverage.
The script can start/stop recordings and move PTZ cameras using supplied arguments, but the artifacts do not add confirmation, allowlisting, or rollback guidance for these mutating camera actions.
api=SYNO.SurveillanceStation.Recording&method=${method}&version=1&cameraId=${camera_id} ... api=SYNO.SurveillanceStation.PTZ&method=Move&version=1&cameraId=${camera_id}&direction=${direction}&speed=3Require explicit user confirmation for record/PTZ/preset commands, restrict permitted camera IDs and actions, and consider making read-only operations the default.
Camera images, event logs, and stream URLs may reveal private home or business surveillance information.
The script intentionally retrieves camera snapshots and saves them locally; related commands also display event data and live-stream URLs.
local output="syno_snapshot_${camera_id}_${timestamp}.jpg" ... GetSnapshot ... -o "$output"Run the skill only in trusted workspaces, protect generated snapshot files, avoid sharing stream URLs, and delete sensitive outputs when no longer needed.
Installers and users may not get advance warning that extra tools and sensitive credentials are needed.
The registry metadata does not declare the practical jq/curl usage or Synology credential environment variables that the SKILL.md and script rely on.
Required binaries (all must exist): none ... Env var declarations: none ... Primary credential: none
Declare required binaries and credential/configuration variables in metadata so users can review the access requirements before installation.