Ezviz Open Camera Broadcast
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill appears purpose-aligned for sending Ezviz audio broadcasts, but it needs Ezviz credentials, can upload audio/text to Ezviz, runs local TTS tools, and caches access tokens.
Install only if you intend to let the skill access your Ezviz app credentials and send audio to your devices. Use dedicated least-privilege credentials, set them via environment variables, verify the target device serials and content before running, and disable token caching with EZVIZ_TOKEN_CACHE=0 if you do not want an access token stored locally.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing or invoking the skill is trusting it with access to Ezviz devices and broadcasts under that app's permissions.
The skill needs Ezviz account credentials and can fall back to local OpenClaw config files for those credentials, which is sensitive authority even though it is disclosed and scoped.
requires: env: ["EZVIZ_APP_KEY", "EZVIZ_APP_SECRET", "EZVIZ_DEVICE_SERIAL"] ... "May read ~/.openclaw/*.json for credentials (env vars have priority)"
Use a dedicated least-privilege Ezviz app credential, prefer environment variables over config fallback, and avoid using a main account secret.
A mistaken invocation could upload the wrong audio or make one or more Ezviz devices play an unintended message.
The core workflow uploads audio content to Ezviz and sends it to the specified device serials for playback, which is expected for this skill but has direct account/device effects.
2a. 如果提供音频文件:直接上传文件 ... 3. 下发语音 (accessToken + deviceSerial + fileUrl → 设备播放)
Check the device serial list, channel number, and audio/text content before invoking; use unique voice names when possible.
The local system must have the expected TTS/audio tools installed, and those tools will process the provided text/audio output paths.
The skill executes local TTS/conversion binaries via subprocess. This is aligned with text-to-speech generation and uses argument lists rather than shell strings.
subprocess.run(['say', '-o', temp_aiff, text_with_pauses], check=True, capture_output=True) ... subprocess.run(['ffmpeg', '-i', output_path.replace('.mp3', '.wav'), '-acodec', 'libmp3lame', output_path], check=True, capture_output=True)Install TTS/audio tools only from trusted sources and keep the text input within the documented limits.
The installed Python package version may vary by environment, and users must rely on their own package-source trust settings.
The documented dependency installation is manual and unpinned, and the registry install spec does not define an installation mechanism. This is common for instruction-style skills but leaves dependency provenance to the user.
pip install requests
Install dependencies from a trusted package index, consider pinning `requests` in controlled environments, and review the included Python files before use.