Back to skill

Security audit

terry-camsnap

Security checks across malware telemetry and agentic risk

Overview

This webcam snapshot skill has a clear purpose, but it runs an unshipped local script to access the camera and save images, so users cannot verify the sensitive implementation before installing.

Review before installing. Only use this skill if you can inspect or trust the local camsnap.py it invokes, and if you are comfortable with the agent accessing your webcam and leaving captured images on disk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill enables webcam capture and writes image files to disk, but its description and usage text do not clearly warn the user about the privacy-sensitive nature of camera access or persistent storage. In an agent setting, this omission can lead to users invoking the skill without informed consent, increasing the risk of unexpected image capture and retention of sensitive visual data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.