Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
imac-cam
v1.0.0捕获 iMac 摄像头画面(Photo Booth 窗口)。当用户想查看 iMac 的摄像头、打开摄像头、查看摄像头、打开监控、查看监控时说。
⭐ 0· 72·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description say 'capture iMac camera (Photo Booth window)' and the included code (osascript automation, screencapture, cropping, starting a simple HTTP server) directly implements that. No unrelated credentials, services, or unusual binaries are requested.
Instruction Scope
SKILL.md steps (start Photo Booth if needed, get window rect via AppleScript, crop offsets, start HTTP server on port 8765, close Photo Booth) are implemented in the code. The runtime will capture the webcam view and serve it over HTTP; while this matches the stated purpose, it also means your camera image is made available over the network without authentication — a privacy exposure to be aware of. The code does not read unrelated user files or external services.
Install Mechanism
There is no install spec (instruction-only style) and the repository contains small scripts (capture.py, start-server.sh). No packages are pulled from external URLs. Risk is limited to executing the included scripts on the host.
Credentials
The skill requests no environment variables or credentials. It uses local system utilities (osascript, screencapture, scutil, python3), which are proportionate to controlling Photo Booth and capturing the screen.
Persistence & Privilege
always:false and no elevated privileges requested. However, the skill launches a long-running, unauthenticated HTTP server (python -m http.server) which binds to all interfaces by default — this gives any device on the network potential access to the captured image until the server/process is stopped.
Assessment
This skill appears to do what it says, but installing/running it will capture your iMac's Photo Booth image and serve it over an unauthenticated HTTP server (port 8765) that is reachable from the local network. Before installing, consider: 1) Do you trust the skill owner and the device's network (it will expose sensitive camera images)? 2) Run the included scripts manually first to inspect behavior; do not run as root. 3) If you only need local viewing, modify the code to bind the HTTP server to localhost (python -m http.server 8765 --bind 127.0.0.1) instead of letting it listen on all interfaces. 4) Verify firewall settings and stop the server after use; inspect and test the AppleScript commands to confirm they only target Photo Booth. 5) Be cautious if you share this skill with others — it could leak camera snapshots unintentionally. If you want a safer assessment, provide logs of a dry run or let me confirm/annotate exact lines you'd change to restrict network exposure.Like a lobster shell, security has layers — review code before you run it.
latestvk9749yxst00rws1qs5qavxsdy983ap9c
License
MIT-0
Free to use, modify, and redistribute. No attribution required.