Trust Assessment
office-cam received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 1 critical, 5 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Sensitive path access: AI agent config.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/clawd/skills/office-cam/skills/office-cam/scripts/wyze-capture.py:39 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'capture_camera'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/clawd/skills/office-cam/skills/office-cam/scripts/wyze-capture.py:39 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/snail3d/clawd/skills/office-cam/skills/office-cam/SKILL.md:45 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/snail3d/clawd/skills/office-cam/skills/office-cam/SKILL.md:66 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/snail3d/clawd/skills/office-cam/skills/office-cam/SKILL.md:80 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/snail3d/clawd/skills/office-cam/skills/office-cam/SKILL.md:138 | |
| MEDIUM | Excessive Permissions / Broad System Scope The skill, as described in SKILL.md, is designed to operate with a broad scope of system access and persistent operations. It includes features like continuous background monitoring processes ('OVERWATCH', 'SMART OVERWATCH', 'OVERWATCH PRO'), starting a local web server (http://localhost:8080), and potentially configuring system-level tasks (e.g., 'Morning report (8 AM daily via cron)'). While these are intended functionalities, they grant the skill significant control over the host system, including persistent execution, network service exposure, and extensive filesystem access, which could be considered excessive if not carefully managed or if the skill itself were compromised. Clearly document all system-level operations, network ports, and persistent processes initiated by the skill. Implement robust access controls and ensure all network services are properly secured. Provide clear instructions for users to review and approve these permissions before activation. Consider sandboxing or containerization if possible to limit the skill's impact on the host system. | LLM | SKILL.md:69 |
Scan History
Embed Code
[](https://skillshield.io/report/2aea3760c3a88264)
Powered by SkillShield