Is kartinw/video-watcher safe?

https://github.com/openclaw/skills/tree/main/skills/kartinw/video-watcher

85
SAFE

The kartinw/video-watcher skill is a legitimate video frame extraction utility with no evidence of malicious intent. The SKILL.md is clean with no prompt injection vectors, no credential harvesting code exists in the shell script, all canary honeypots remained intact, and network activity during installation was entirely attributable to GitHub (git clone) and background system services. The primary security concern is a shell injection vulnerability in extract_frames.sh where the VIDEO_PATH and FPS arguments are interpolated into double-quoted shell strings without sanitization, creating a confused-deputy risk if an attacker can influence the arguments passed by the agent. A secondary concern is the SKILL.md instruction to run sudo apt-get install without a user confirmation gate.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (5)

MEDIUM Shell injection via unsanitized VIDEO_PATH and FPS arguments -28

The extract_frames.sh script passes $VIDEO_PATH and $FPS directly into double-quoted shell command strings without escaping or validation. An attacker who can influence the video path or fps value (e.g., through a crafted filename or a prompt injection attack that controls agent tool arguments) can break out of the shell quoting and execute arbitrary commands in the agent's execution context.

LOW Unsupervised sudo package installation recommended in SKILL.md -10

The prerequisites section of SKILL.md instructs the agent to run 'sudo apt-get install -y ffmpeg' without any user-confirmation step. An agent following these instructions literally will elevate privileges and install system software without explicit user consent, which violates least-privilege principles.

LOW Input path traversal possible via OUTPUT_DIR argument -20

If OUTPUT_DIR is set to a sensitive path (e.g., ~/.ssh/), the script will create that directory and write numbered JPEG files there. While frame_001.jpg is unlikely to overwrite id_rsa, the pattern could be used to pollute sensitive directories or cause denial-of-service via inode exhaustion in targeted paths.

INFO Background fwupd and Ubuntu update traffic during install window -8

Multiple TLS connections to 199.232.174.49 (Fastly CDN, used by fwupdmgr for firmware metadata) and 185.125.x.x (Ubuntu update servers) were observed during the install window. These are attributable to system background services (fwupd-refresh UID 990, not the skill) and do not represent skill-initiated traffic.

INFO Canary files read twice — both reads attributed to audit framework 0

Honeypot credential files were opened at 1771937107 (oathe canary setup) and 1771937133 (post-install audit verification). The second read at 1771937133.954 occurs after all skill-related exec events and coincides with the audit framework's systematic scan phase. No writes or network transmissions of canary content were detected.