Back to skill

Security audit

camsnap

Security checks across malware telemetry and agentic risk

Overview

This webcam snapshot skill appears to do what it says, but it deserves review because it saves live camera images locally and passes user-supplied paths through a shell command in a risky way.

Install only if you are comfortable with an agent activating the default webcam when you ask for a photo and saving the result locally. Use simple output paths without shell metacharacters, verify where snapshots are written, and delete images you do not want retained. A safer version should quote or structurally pass arguments instead of interpolating raw text into Bash, and should ask for clear confirmation before taking a webcam photo.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill enables webcam capture and writes image files to disk, but it does not explicitly warn about the privacy implications of capturing a live camera image or the fact that a file will be created automatically. In an agent setting, this can lead to users triggering camera access without fully informed consent, increasing the risk of unexpected collection of sensitive visual data and persistent storage on disk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.