Security Audit

camera-watch

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

camera-watch received a trust score of 30/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 6 findings: 1 critical, 2 high, 2 medium, and 1 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Suspicious import: requests.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

70%

Static Code Analysis

78%

Dependency Graph

100%

LLM Behavioral Safety

76%

Behavioral Risk Signals

Network Access

4 findings

Filesystem Write

1 finding

Shell Execution

3 findings

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings6

Severity	Finding	Layer	Location
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/henrikback/camera-watch/scripts/camera_watch.py:186
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_snapshot'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/henrikback/camera-watch/scripts/camera_watch.py:186
HIGH	Configurable Notification Gateway allows data exfiltration and credential harvesting The `Notifier` class in `scripts/camera_watch.py` sends notification data, including a user-configured `gateway_token` and the absolute path to saved snapshots (`mediaPath`), to a `gateway_url` which is also user-configurable in `config.yaml`. If a user configures a malicious or compromised `gateway_url`, the `gateway_token` (which could be sensitive) and local file paths (and potentially the snapshot content if the gateway fetches it) could be exfiltrated to an untrusted third party. While the default `gateway_url` is `http://localhost:18789`, the example `config.yaml` clearly shows it as a configurable field, making it a credible exploit path if misconfigured by the user. 1. Strongly warn users about the security implications of setting `gateway_url` to an untrusted external service. 2. Consider adding a whitelist or validation for `gateway_url` if possible, or at least a prominent warning in the documentation. 3. If `gateway_token` is highly sensitive, consider alternative authentication mechanisms or encrypting the token at rest. 4. Avoid sending absolute file paths to external services; instead, consider sending the image content directly or using a temporary, signed URL for image upload if the gateway supports it.	LLM	scripts/camera_watch.py:90
MEDIUM	Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/henrikback/camera-watch/scripts/camera_watch.py:17
MEDIUM	Unpinned dependencies in installation instructions The `SKILL.md` provides installation instructions that use `pip install` without specifying exact versions for `opencv-python`, `ultralytics`, `pyyaml`, and `requests`. This practice can lead to supply chain attacks where a malicious actor could publish a compromised version of one of these packages, which would then be installed by users of this skill. Provide a `requirements.txt` file with pinned versions (e.g., `opencv-python==4.8.1.78`) and instruct users to install using `pip install -r requirements.txt`. Regularly audit and update these pinned versions.	LLM	SKILL.md:22
LOW	Potential command injection in `ffmpeg` call via RTSP URL parameters The `_get_snapshot_rtsp` function constructs an RTSP URL using user-provided `self.user` and `self.password` from `config.yaml`, and then passes this URL as an argument to `ffmpeg` via `subprocess.run`. While `subprocess.run` with a list of arguments generally prevents shell injection, `ffmpeg` itself might interpret specially crafted characters within the `rtsp_url` (e.g., in the username or password) as command-line options or malicious input, potentially leading to unintended `ffmpeg` behavior or resource exhaustion. This is a lower risk as it relies on `ffmpeg`'s parsing vulnerabilities rather than direct shell injection from Python. Implement input validation and sanitization for camera usernames and passwords in `config.yaml` to prevent them from containing characters that could be misinterpreted by `ffmpeg` or other URL parsers. Consider URL-encoding the username and password components of the RTSP URL.	LLM	scripts/camera_watch.py:230

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/c917700a18513d2f.svg)](https://skillshield.io/report/c917700a18513d2f)