ClawHub

employee-off-duty-detection-2

Security checks across malware telemetry and agentic risk

Overview

This skill openly supports workplace camera monitoring, but it needs Review because it handles employee surveillance images and camera credentials without enough privacy, scoping, or secret-storage safeguards.

Install only if you are authorized to monitor the spaces and people involved. Confirm workplace notice or consent requirements, use least-privilege camera and Feishu credentials, restrict alert recipients, verify exactly where tokens are stored, lock down file permissions, and review AI/Feishu retention policies before sending workplace images.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes workplace camera monitoring, image capture, AI analysis, and Feishu alerting without any mention of consent, notice, data handling, retention, or legal/privacy constraints. In a surveillance-oriented skill, omitting these safeguards can encourage deployment that violates employee privacy expectations, internal policy, or local law, making misuse materially more likely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs users to collect and locally store camera credentials and access tokens, but does not provide prominent handling precautions, secure storage guidance, or minimization practices. This increases the risk of credential leakage through plaintext config files, backups, logs, or improper file permissions, which could enable unauthorized camera access.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill describes surveillance image capture, employee presence monitoring, and alerting with images/metadata without a prominent privacy notice or consent/compliance guidance at the point of use. In workplace settings, this can create significant privacy, legal, and misuse risks, especially if users deploy monitoring without informing affected individuals or configuring retention and access controls.

Credential Access

High
Category
Privilege Escalation
Content
### 1. Initial Setup (First Run)
When the skill runs for the first time:
1. Prompt user for camera system type
2. Collect API endpoint, access token, device serial, channel number
3. Ask for default inspection prompt template
4. Confirm alert channel preferences
5. Save configuration to `~/.openclaw/workspace/intelligent-inspection-config.json`
Confidence
86% confidence
Finding
access token

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal