中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
camera-yolo-operator
操作本地摄像头,运行 YOLO 目标检测和 DA3Metric 深度估计
Legitimate computer vision skill for webcam-based YOLO object detection and depth estimation with no malicious indicators.
Skill Namecamera-yolo-operator
Duration33.2s
Enginepi
Safe to install
No action needed. The skill performs standard computer vision tasks using opencv, ultralytics YOLO, and depth-anything models. All functionality is accurately documented in SKILL.md.

Findings 1 items

Severity Finding Location
Low
Dependency versions not pinned Supply Chain
requirements.txt uses >= lower-bound constraints without upper bounds (e.g., ultralytics>=8.0.0, torch>=2.0.0), which could allow installing incompatible future versions.
ultralytics>=8.0.0
torch>=2.0.0
→ Consider pinning exact versions or using compatible release specifiers (e.g., ultralytics>=8.0.0,<9.0.0) to ensure reproducible builds. However, all packages come from trusted mainstream sources (PyPI, HuggingFace).
 requirements.txt:1
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned SKILL.md declares --output-dir for saving images; scripts use os.makedirs() and …
Shell READ READ ✓ Aligned download_models.sh uses python3 -c for model download, documented in SKILL.md
Network READ READ ✓ Aligned Downloads YOLO models and HuggingFace depth models; explicitly documented in SKI…
Browser NONE NONE No browser usage
Clipboard NONE NONE No clipboard access
Environment READ READ ✓ Aligned Reads OPENCLAW_WORKSPACE, YOLO_MODEL_PATH, HF_ENDPOINT as documented in SKILL.md
Skill Invoke NONE NONE No skill invocation
Database NONE NONE No database access
6 findings
🔗
Medium External URL 外部 URL
https://hf-mirror.com
SKILL.md:336
🔗
Medium External URL 外部 URL
https://huggingface.co/depth-anything/DA3Metric-Large
SKILL.md:370
🔗
Medium External URL 外部 URL
https://download.pytorch.org/whl/cu121
SKILL.md:385
🔗
Medium External URL 外部 URL
https://pypi.tuna.tsinghua.edu.cn/simple
SKILL.md:394
🔗
Medium External URL 外部 URL
https://docs.ultralytics.com/models/yolo11
references/deployment.md:91
🔗
Medium External URL 外部 URL
https://huggingface.co/ultralytics/
references/deployment.md:136

File Tree

9 files · 54.3 KB · 1749 lines
Python 4f · 874L Markdown 3f · 777L Shell 1f · 82L Text 1f · 16L
├─ 📁 references
│ ├─ 📝 deployment.md Markdown 292L · 6.0 KB
│ └─ 📝 platform.md Markdown 47L · 1.2 KB
├─ 📁 scripts
│ ├─ 🐍 capture_webcam.py Python 136L · 5.0 KB
│ ├─ 🔧 download_models.sh Shell 82L · 2.2 KB
│ ├─ 🐍 yolo_depth_distance.py Python 275L · 11.1 KB
│ ├─ 🐍 yolo_detection.py Python 235L · 8.5 KB
│ └─ 🐍 yolo_pedestrian_tracker.py Python 228L · 8.6 KB
├─ 📄 requirements.txt Text 16L · 292 B
└─ 📝 SKILL.md Markdown 438L · 11.5 KB

Dependencies 7 items

PackageVersionSourceKnown VulnsNotes
ultralytics >=8.0.0 pip No Version not pinned but from trusted source
torch >=2.0.0 pip No Version not pinned but from official PyTorch
torchvision >=0.15.0 pip No Version not pinned but from official PyTorch
depth-anything-3 >=0.1.0 pip No Version not pinned
supervision >=0.20.0 pip No Version not pinned
opencv-python >=4.8.0 pip No Version not pinned but mainstream
numpy >=1.24.0 pip No Version not pinned but mainstream

Security Positives

✓ All functionality accurately documented in SKILL.md - no doc-to-code mismatch
✓ No credential harvesting or sensitive file access (no ~/.ssh, ~/.aws, .env scanning)
✓ No data exfiltration or C2 communication
✓ No obfuscation techniques (no base64, eval(), or anti-analysis patterns)
✓ No reverse shell, RCE, or arbitrary command execution
✓ No hidden functionality - all scripts perform explicitly documented operations
✓ Model downloads from official sources (Ultralytics, HuggingFace) are clearly documented
✓ No suspicious network IOCs beyond documented model download endpoints
✓ Webcam access is for legitimate computer vision tasks only, with no surreptitious recording
✓ All subprocess usage (model download) is documented and necessary for the feature