ClawAudit verdict
kami-fall-detection-cloud
kami-fall-detection
Cloud-based fall detection skill that sends only short alarm clips (not continuous streams) to the KamiClaw API for analysis; the privacy policy is clearly documented and the data handling is explicitly scoped.
⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Findings (8)
Pipe to python — executes piped content as Python code
SKILL.md · code · | python3
Possible hardcoded credential
discord_notifier.py · prose · downgraded · token = "YOUR_BOT_TOKEN
Pipe-to-shell pattern (curl | sh) — supply chain attack vector
setup.sh · prose · downgraded · curl https://pyenv.run | bash
Pipe to bash — executes piped content as shell commands
setup.sh · prose · downgraded · | bash
References webhook/callback URL
README.md · code · webhook_url
References sudo — requests elevated privileges
setup.sh · prose · downgraded · sudo
Popular HTTP library — network access
fall_detect_cloud_skill.py · prose · downgraded · got
Python os.environ.get — reads environment variable
fall_detect_cloud_skill.py · prose · downgraded · os.environ.get(
Why the tier is capped
Execution sink present in raw bytes (Hard Floor: class A/B). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.
Permissions & capabilities
No declared permissions — minimal attack surface.
credential_access Is this flag fair?
Thanks — recorded.