ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

xxx

v1.0.0

Capture frames or clips from RTSP/ONVIF cameras.

0· 96·1 current·1 all-time
by@cosrider·duplicate of @0xspeter/camsnap-1-0-0

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for cosrider/xxx.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "xxx" (cosrider/xxx) from ClawHub.
Skill page: https://clawhub.ai/cosrider/xxx
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: camsnap
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install xxx

ClawHub CLI

Package manager switcher

npx clawhub@latest install xxx
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill is an instruction-only wrapper that expects the camsnap binary (installed via brew steipete/tap/camsnap) which is coherent with the stated purpose. However, SKILL.md also requires ffmpeg on PATH for actual operation but ffmpeg is not listed in the skill's required binaries. Also the SKILL.md references a per-user config (~/.config/camsnap/config.yaml) even though 'required config paths' was left empty in the metadata.
!
Instruction Scope
Instructions tell the agent to add cameras with plaintext credentials (e.g., --user/--pass) which implies writing sensitive credentials to ~/.config/camsnap/config.yaml. The 'watch' command uses --action '...' which typically allows arbitrary commands to run on motion events — that can be abused to execute arbitrary code. The SKILL.md does not limit or sanitize these actions and does not declare reading/writing the config path in metadata.
Install Mechanism
Install is via a Homebrew formula (steipete/tap/camsnap). Homebrew is common, but this uses a third-party tap (steipete) rather than the main/homebrew-core repository. Third-party taps are legitimate but require extra trust review; the install will create a camsnap binary as expected.
Credentials
No environment variables or credentials are declared, which is reasonable for a local camera tool. However, SKILL.md clearly expects credentials to be provided interactively or stored in the config file, and the omission of ffmpeg from declared binaries is a mismatch. No unrelated cloud credentials are requested.
Persistence & Privilege
The skill does not request always:true and does not claim elevated platform privileges. It will read/write its own per-user config (~/.config/camsnap/config.yaml) which is normal for an app of this type; nothing in the metadata indicates it modifies other skills or global agent settings.
What to consider before installing
This skill appears to do what it says, but take these precautions before installing: - Verify the brew tap (steipete/tap) and the camsnap project (https://camsnap.ai) — third-party taps should be checked for trustworthiness. - Expect camsnap to create and store camera credentials in ~/.config/camsnap/config.yaml; treat that file as sensitive and review its contents/permissions. Avoid using admin/cloud credentials — use camera-specific accounts. - Ensure ffmpeg is installed separately (SKILL.md requires it) — the skill metadata didn't declare ffmpeg as a required binary. - Be careful with the 'watch' --action option: it can execute arbitrary commands on motion events. Do not configure actions that run untrusted shell commands. - If you need stronger isolation, consider running camsnap in a confined environment or VM before granting it access to your local network/cameras. - Note: the package metadata ownerId in _meta.json differs from the registry owner metadata; that mismatch could indicate packaging errors or provenance issues — verify the source before trusting.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📸 Clawdis
Binscamsnap

Install

Install camsnap (brew)
Bins: camsnap
brew install steipete/tap/camsnap
latestvk974vjv0gr0rmp8x9f0n06vkbs83qeg5
96downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@cosrider
latest
Download

camsnap

Use camsnap to grab snapshots, clips, or motion events from configured cameras.

Setup

  • Config file: ~/.config/camsnap/config.yaml
  • Add camera: camsnap add --name kitchen --host 192.168.0.10 --user user --pass pass

Common commands

  • Discover: camsnap discover --info
  • Snapshot: camsnap snap kitchen --out shot.jpg
  • Clip: camsnap clip kitchen --dur 5s --out clip.mp4
  • Motion watch: camsnap watch kitchen --threshold 0.2 --action '...'
  • Doctor: camsnap doctor --probe

Notes

  • Requires ffmpeg on PATH.
  • Prefer a short test capture before longer clips.

Comments

Loading comments...