camsnap
ReviewAudited by ClawScan on May 11, 2026.
Overview
The skill appears to capture webcam photos locally as advertised, but its documented Bash command passes user arguments in a way that could allow unintended shell commands.
Install only if you are comfortable granting a skill access to the local webcam. Until the Bash invocation is hardened, use simple output paths without shell characters, and make sure any OpenCV dependency is installed from a trusted source.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted output path or argument could make the agent run unintended local shell commands, depending on how arguments are substituted and executed.
The skill tells the agent to run a Bash command with user-provided arguments appended directly. If those arguments contain shell metacharacters, they may execute commands beyond taking a camera snapshot.
allowed-tools: Bash
...
python {{SKILL_DIR}}/src/camsnap.py {{ $ARGUMENTS }}Use a safer invocation pattern that passes arguments as an argument list or explicitly quotes and validates each argument before Bash sees it. Users should avoid complex paths or shell characters and only invoke this skill intentionally.
The skill may fail until OpenCV is installed, and users may need to choose a trusted package source themselves.
The code requires OpenCV, while the provided install specifications declare no install step or dependency. This is not malicious, but it is an undeclared runtime dependency.
import cv2
Declare the OpenCV dependency in the install metadata or document a trusted, pinned installation method.