Trust Assessment
foto-webcam received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 2 high, 2 medium, and 1 low severity. Key findings include Suspicious import: requests, Server-Side Request Forgery (SSRF) via user-controlled URL, Arbitrary File Write via user-controlled output path.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 61/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Server-Side Request Forgery (SSRF) via user-controlled URL The skill's Python script `foto_webcam_snapshot.py` takes a `--url` argument which is directly used in `requests.get()` calls without sufficient validation of the domain. The `SKILL.md` instructs the LLM to accept user-provided URLs (e.g., `fuege <name> <url> hinzu`) and use them with the script. An attacker could provide a malicious URL (e.g., `http://localhost:8080/admin`, `file:///etc/passwd`, `http://internal-ip/`) to force the server to make requests to internal resources or arbitrary external services, potentially leading to data exfiltration or access to internal systems. While the script attempts to resolve `foto-webcam.eu` specific image URLs, the initial fetch of the `page_url` itself is not restricted. Implement strict URL validation (whitelist `foto-webcam.eu` domain) for both `page_url` and `source_url` before making HTTP requests. Consider using a dedicated library for URL parsing and validation. | LLM | scripts/foto_webcam_snapshot.py:30 | |
| HIGH | Arbitrary File Write via user-controlled output path The skill's Python script `foto_webcam_snapshot.py` takes a `--out` argument which specifies the output file path for the downloaded image. This path is used directly in `os.makedirs()` and `open()` calls without sanitization or restriction. If an attacker can control the `--out` argument (e.g., by manipulating the LLM to use a path like `/etc/cron.d/malicious_job` or `/var/www/html/shell.php`), they could write arbitrary image data to any location on the file system where the skill has write permissions. This could lead to denial of service, privilege escalation, or remote code execution. Restrict the `--out` path to a safe, designated directory (e.g., `/tmp/skill_output/`) and ensure that only the filename part can be controlled by user input, not the directory structure. Validate the filename to prevent directory traversal (e.g., `../`). | LLM | scripts/foto_webcam_snapshot.py:79 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/unixweb/foto-webcam/scripts/foto_webcam_snapshot.py:28 | |
| MEDIUM | Potential Arbitrary File Read via user-controlled favorites path The `foto_webcam_snapshot.py` script accepts a `--favorites` argument which specifies a JSON file to read. The `read_favorites` function opens this path directly and attempts to parse its content as JSON. If an attacker can control this argument (e.g., by manipulating the LLM to use `--favorites /etc/passwd`), the script will attempt to read the content of an arbitrary file. While the script expects JSON and will likely fail to parse non-JSON files, the content is read into memory. If the error message or other output were to leak parts of the file content, it could lead to data exfiltration. Even without direct leakage, reading arbitrary files is an excessive permission. Restrict the `--favorites` path to a known, safe directory (e.g., `docs/webcams/`) and validate the filename to prevent directory traversal. Alternatively, ensure the LLM is strictly constrained to only use the hardcoded `docs/webcams/favorites-muenchen.json` path. | LLM | scripts/foto_webcam_snapshot.py:22 | |
| LOW | Host LLM output format manipulation The skill attempts to manipulate the host LLM's output format by explicitly instructing it to respond only in "Plain Text (kein Markdown)" and "clean speech (keine Sonderzeichen/Formatierung)" for audio. While not directly malicious in terms of data exfiltration or command injection, this is a form of prompt injection aiming to control the LLM's behavior and output style, which could interfere with its intended operation or user experience. Remove instructions that attempt to control the host LLM's output format or style. The LLM should determine its own output format based on its core instructions and user context. | LLM | SKILL.md:69 |
Scan History
Embed Code
[](https://skillshield.io/report/136b3687f08c47f1)
Powered by SkillShield