ClawHub

Ezviz Open Camera Broadcast

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it uses Ezviz credentials to upload audio or generated speech and broadcast it to configured Ezviz devices, with the main sensitive behaviors disclosed.

Install only if you intend to let this skill use Ezviz app credentials to make configured devices play audio. Set both EZVIZ_APP_KEY and EZVIZ_APP_SECRET explicitly, use a dedicated least-privilege Ezviz application, verify target device serials and audio content before running, and set EZVIZ_TOKEN_CACHE=0 on shared or high-security systems.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares powerful capabilities in prose and metadata-like fields, but the analyzer correctly notes there is no formal declared permission model covering env access, file read/write, network, and shell execution. This creates a transparency and governance gap: users or orchestrators may authorize the skill for simple audio broadcast while it can also read local config files, cache tokens on disk, and invoke system binaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose focuses on sending audio broadcasts, but the skill also documents credential discovery from local config files and a shared global token cache with management operations. Those extra behaviors materially expand trust boundaries because they enable access to stored secrets and persistence beyond the immediate task, which is more sensitive than the headline description suggests.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill reads EZVIZ credentials from unrelated local OpenClaw configuration files, expanding its credential access beyond the declared environment-variable interface. This can cause unauthorized credential use, accidental privilege escalation, or cross-skill secret exfiltration if the script is run in a broader agent environment with access to user config files.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The documentation tells users that environment variables are the alternative credential source, but the code silently falls back to reading local OpenClaw config files. This mismatch is security-relevant because users and reviewers may believe the skill has narrower secret access than it actually does, undermining least-privilege expectations and informed consent.

Credential Access

High
Category
Privilege Escalation
Content
result = get_cached_token(args.app_key, args.app_secret, use_cache=use_cache)
        
        if result["success"]:
            print(f"\nAccess Token: {result['access_token'][:30]}...")
            print(f"Expires: {time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(result['expire_time'] / 1000))}")
            print(f"From Cache: {result['from_cache']}")
        else:
Confidence
98% confidence
Finding
Access Token

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal