terry-camsnap
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s camera-snapshot purpose is clear, but it asks the agent to run an unprovided local Python script via Bash with raw arguments, so its actual behavior cannot be reviewed.
Review this skill carefully before installing. Its stated purpose is reasonable, but the actual camera-capture script is missing, so you cannot verify what will run or how output paths are restricted. Install only if you trust the publisher and can inspect or supply the referenced camsnap.py yourself.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or untrusted output path could cause unintended command behavior, and the user cannot verify the claimed path restrictions from the supplied artifacts.
The skill tells the agent to invoke Bash with user-supplied arguments inserted directly into the command. That makes safe argument handling dependent on shell parsing and the missing helper script.
python3 ~/.openclaw/workspace/src/camsnap.py {{ $ARGUMENTS }}Use a packaged, reviewed helper that receives arguments safely, or require explicit quoting/escaping and confirmation before running the Bash command.
The skill may fail, or it may run a local script whose origin and permissions are unclear.
The skill depends on a helper script under ~/.openclaw/workspace/src, but the supplied manifest contains only SKILL.md and there is no install spec, so the executable's source and behavior are not reviewable.
Run the snapshot script:
```bash
python3 ~/.openclaw/workspace/src/camsnap.py {{ $ARGUMENTS }}
```Do not install until the provider includes the camsnap.py file or a pinned, reviewable install process that creates it.
If a file exists at that path, the agent could execute unreviewed local code with the user's permissions.
The skill grants Bash use and then instructs execution of a Python file that is not included in the reviewed package. Command execution is expected for this purpose, but this specific executable is outside the provided artifacts.
allowed-tools: Bash
Only allow execution of reviewed code shipped with the skill, and avoid running files from ambiguous workspace paths.
Users may assume the file-writing behavior is constrained even though that cannot be verified from this package.
The skill makes a safety claim about path validation, but the implementation that would enforce it is not included in the artifacts.
Output paths are validated against path-traversal; only allowed directories are writable.
Treat the path-safety claim as unverified until the implementation is provided and reviewed.