Trust Assessment
office-cam received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 1 critical, 5 high, 1 medium, and 0 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Sensitive path access: AI agent config.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/snail3d/voice-devotional/skills/office-cam/skills/office-cam/scripts/wyze-capture.py:39 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'capture_camera'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/snail3d/voice-devotional/skills/office-cam/skills/office-cam/scripts/wyze-capture.py:39 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/snail3d/voice-devotional/skills/office-cam/skills/office-cam/SKILL.md:45 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/snail3d/voice-devotional/skills/office-cam/skills/office-cam/SKILL.md:66 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/snail3d/voice-devotional/skills/office-cam/skills/office-cam/SKILL.md:80 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/snail3d/voice-devotional/skills/office-cam/skills/office-cam/SKILL.md:138 | |
| MEDIUM | RTSP Credentials Retrieved from Environment Variables The script retrieves RTSP URLs, which often contain sensitive credentials (username and password), directly from environment variables. Storing credentials in plain-text environment variables can expose them to other processes on the system, to logs, or to unauthorized users if the environment is compromised or inspectable. While common, this practice is less secure than using dedicated secrets management solutions. Consider using a dedicated secrets management system (e.g., AWS Secrets Manager, HashiCorp Vault, or a local encrypted configuration file) instead of plain-text environment variables for sensitive credentials. If environment variables must be used, ensure they are tightly controlled, not logged, and that the process environment is secured. | LLM | scripts/wyze-capture.py:13 |
Scan History
Embed Code
[](https://skillshield.io/report/530fcbdfe309f8c5)
Powered by SkillShield