SkillTotal

Is hacksider/Deep-Live-Cam safe?

repo is an AI python_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 4 risky constructs are reported for review. It can: filesystem read, filesystem write, network egress and shell execution — capabilities are what the code can do, not a verdict on intent. Risk score 0/100 (low).

repo

python_package · https://github.com/hacksider/Deep-Live-Cam
LOW
0
/ 100 risk score
Snapshot · scanned Jul 1, 2026 · repo@834092c · engine 0.22.0 / ruleset 23
No malicious indicators - review capabilities before installing
Notable — review in context (capabilities are not malware):
  • Python shell/command execution
  • Python filesystem write/delete
  • Python filesystem read

No malicious indicators found by static analysis.

Capabilities — what this component can do (not a risk score):
filesystem readfilesystem writenetwork egressshell execution

Findings (4)

HIGHPython shell/command executionST-SHELL-PY

The component can run operating-system commands or spawn processes.

reader = subprocess.Popen(
            reader_cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE,
        )
writer = subprocess.Popen(
            writer_cmd, stdin=subprocess.PIPE, stderr=subprocess.PIPE,
        )
subprocess.check_output(commands, stderr=subprocess.STDOUT)
output = subprocess.check_output(command).decode().strip().split("/")
output = subprocess.check_output(command).decode().strip()
output = subprocess.check_output(command).decode().strip()

Why it matters: Powerful and often legitimate — confirm the commands aren't built from untrusted input.

Fix: Confirm the command and its arguments are fully controlled and not derived from untrusted input; avoid shell=True.

MEDIUMPython filesystem readST-FS-PY-READ

The component reads files from disk.

with open(file_path, "r", encoding="utf-8") as file:
with open("switch_states.json", "r") as f:

Why it matters: Usually legitimate, but worth confirming it can't be steered into reading sensitive files.

Fix: Confirm which files are read and that paths cannot be influenced by untrusted input to reach sensitive locations.

MEDIUMPython filesystem write/deleteST-FS-PY-WRITE

The component writes or deletes files on disk.

shutil.copy2(modules.globals.target_path, modules.globals.output_path)
shutil.rmtree(temp_directory_path + f"/{i}")
with open("switch_states.json", "w") as f:
with open(temp_path, "wb") as f:
os.remove(output_path)
shutil.move(temp_output_path, output_path)
shutil.rmtree(temp_directory_path)
with open(download_file_path, "wb") as f:

Why it matters: Usually legitimate, but worth confirming the paths can't be controlled by untrusted input.

Fix: Confirm which files are written/deleted and that paths cannot be influenced by untrusted input.

MEDIUMPython network egressST-NET-PY

The component makes outbound network requests.

response = requests.get(
                "https://thispersondoesnotexist.com/",
                headers={"User-Agent": "Mozilla/5.0"},
                timeout=10,
            )
request = urllib.request.Request(url)
response = urllib.request.urlopen(request, context=ctx)

Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.

Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.

Check your own component

Run the same evidence-backed scan on any MCP server, agent skill, or package.

Scan your own component

Or get notified if this component's risk changes:

How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →