vispatrol-picture
ReviewAudited by ClawScan on May 6, 2026.
Overview
This appears to be a coherent VisPatrol snapshot tool, but it should only be used on a trusted Windows VisPatrol machine because it uses a local session token and can return camera images.
Install only if you intentionally want OpenClaw to retrieve VisPatrol camera snapshots on this Windows host. Before each run, confirm that reading %TEMP%/vpup.json is acceptable, and give a separate confirmation before any all-device capture. Treat returned images as sensitive and send them only to authorized channels.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved, the skill can use the existing local VisPatrol session to query configured camera devices and retrieve snapshots.
The skill intentionally relies on a local VisPatrol session token, which is high-impact account/session authority even though it is disclosed and scoped to the stated snapshot purpose.
vpup.json 提供服务地址、端口和本地 VisPatrol 会话 token;本技能不要求用户额外输入账号密码。
Enable it only on a trusted Windows VisPatrol host, verify that %TEMP%/vpup.json belongs to that runtime, and approve each run only when you intend to use that local session.
Camera snapshots could be sent through the user’s chosen output channel, which may be outside the local VisPatrol system.
The skill may package snapshot image paths for forwarding through messaging or image-upload channels; this is disclosed and user-directed, but surveillance images are sensitive.
当需要把抓拍图片连同文字报告一起发给飞书机器人或其他支持图片上传的渠道时,必须使用 --json。
Only forward images to channels and recipients that are authorized to view the camera snapshots, especially for all-device captures.
Running the skill may execute a small set of local OS commands for environment discovery.
The script can invoke local Windows commands to find the host TEMP directory under WSL. The arguments are fixed and not user-controlled, which keeps this proportionate to the stated purpose.
commands = (["cmd.exe", "/d", "/c", "echo", "%TEMP%"], ...); completed = subprocess.run(command, ...)
Keep this restricted to trusted Windows/WSL environments and do not modify the script to accept arbitrary shell input.
Installation could pick up whatever current versions are available from the configured pip index.
The skill depends on external Python packages installed from pip without pinned versions. These are common libraries and purpose-aligned, but package provenance/version control is not locked down.
pip install requests pip install pycryptodome
Install dependencies from a trusted package index and consider pinning known-good versions in controlled deployments.