Back to skill
Skillv1.0.0
ClawScan security
Foto Webcam · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:12 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill does what it says — it reads a favorites JSON, fetches webcam snapshot JPGs from the web (preferring foto-webcam.eu), writes a local JPG and returns metadata — there are no unexplained credentials, installs, or hidden endpoints.
- Guidance
- This skill appears internally consistent and performs only web fetches and local file I/O. Before installing, verify the favorites JSON (docs/webcams/favorites-muenchen.json) to ensure it doesn't contain unwanted or internal-network URLs, ensure the runtime has the Python 'requests' package available, and be aware the skill will make outbound HTTP(S) requests to the page/image URLs contained in the favorites. If you need to restrict network scope, sanitize the favorites file or run the skill in a restricted environment. The script may print error JSON and re-raise exceptions on failure, so expect error output if a fetch fails.
Review Dimensions
- Purpose & Capability
- okName/description match the actual behavior: reading a favorites list, resolving a current image URL (preferably on foto-webcam.eu), downloading the JPEG and writing it out. No extraneous credentials or unrelated binaries are requested.
- Instruction Scope
- noteThe SKILL.md and script instruct the agent to read a workspace file (docs/webcams/favorites-muenchen.json), perform HTTP requests to the webcam page(s) and image URLs, and write output to a local path (e.g., /tmp). This is consistent with the stated purpose, but the favorites file controls which URLs get fetched — if that file contains arbitrary or internal URLs the skill will attempt to contact them.
- Install Mechanism
- okInstruction-only skill with no install spec. No packages are pulled at install time. The script depends on the Python 'requests' library but no install action is declared (operational dependency only).
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. The network access it requires is proportionate to fetching remote images; there are no unrelated secrets requested.
- Persistence & Privilege
- okalways:false and no modifications to other skills or global agent config. The skill only writes image output to a specified local path and prints JSON metadata — no elevated persistence or privileges are requested.