Ezviz Open Camera Config

ReviewAudited by ClawScan on May 10, 2026.

Overview

This is a disclosed Ezviz camera-configuration skill, but it uses camera-control credentials and can change security/privacy settings, so use least-privilege credentials and approve changes carefully.

Install only if you intend to let the agent configure your Ezviz camera devices. Use a dedicated least-privilege Ezviz app key/secret, set credentials through environment variables, disable token caching on shared systems if desired, and explicitly confirm any change that affects arming, recording, masking, or detection settings.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

A mistaken or unintended invocation could change whether a camera is armed, recording, or visually blocked.

Why it was flagged

The script exposes API actions that can change camera arming, lens masking, recording, and detection settings. This matches the skill purpose, but these are security/privacy-sensitive device mutations.

Skill content

"defence_set": {"url": "/api/lapp/device/defence/set" ...}, ... "shelter_set" ... "fullday_record_set"

Recommendation

Only use the skill after an explicit user request, verify the device serial and requested setting, and prefer testing with a non-critical device first.

Medium

#ASI03: Identity and Privilege Abuse

What this means

The provided credentials authorize camera configuration actions, so over-scoped or shared credentials could increase the impact of mistakes.

Why it was flagged

The skill uses delegated Ezviz credentials, can read local OpenClaw config files as a fallback, and caches access tokens. These behaviors are clearly disclosed and purpose-aligned.

Skill content

"Requires Ezviz credentials with minimal permissions" ... "Token cached in system temp directory" ... "May read ~/.openclaw/*.json for credentials"

Recommendation

Use a dedicated least-privilege Ezviz app key/secret, prefer environment variables over command-line secrets, and disable token caching on shared machines if needed.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users have less external context for verifying the maintainer or upstream project.

Why it was flagged

The registry does not provide an upstream source or homepage, and there is no automatic install spec. The visible setup is simple, but provenance is limited.

Skill content

Source: unknown; Homepage: none; No install spec

Recommendation

Review the included `scripts/device_config.py` and `lib/token_manager.py` before use, and install dependencies from trusted package sources.