Ezviz Open Camera Video
v1.0.1Ezviz camera video streaming skill. Generates PC and mobile links for live and playback streams. Use when: Need to view camera live feed, playback recordings...
⭐ 0· 131·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description align with requested credentials (EZVIZ_APP_KEY, EZVIZ_APP_SECRET) and the included code implements token retrieval and URL generation for Ezviz API endpoints.
Instruction Scope
SKILL.md and the code explicitly read ~/.openclaw/{config.json,gateway/config.json,channels.json} as a fallback; this can expose any secrets stored in those files. The skill also documents and uses optional env vars (EZVIZ_DEVICE_SERIAL, EZVIZ_CHANNEL_NO, EZVIZ_TOKEN_CACHE) beyond the two declared required vars — the behavior is documented but expands scope to local file reads.
Install Mechanism
No install script or remote download is used (instruction-only skill with bundled Python files). This is lower risk than fetching and executing remote archives.
Credentials
Required env vars (app key/secret) are proportional to the purpose. Additional optional env vars are used but are documented. The skill does not request unrelated cloud credentials.
Persistence & Privilege
The token_manager writes a global cache file under the system temp directory (/tmp/ezviz_global_token_cache/global_token_cache.json) and sets 0600 permissions. While restricted to the same OS user, the cache is shared across skills and persists tokens for up to their expiry—this increases the local blast radius and may retain access tokens longer than desired.
Assessment
This skill is internally coherent for generating Ezviz preview/playback links, but review and consider the following before installing:
- Use a dedicated, least-privileged Ezviz AppKey/AppSecret (do not use master account credentials).
- Prefer environment variables (EZVIZ_APP_KEY and EZVIZ_APP_SECRET) to avoid the skill reading ~/.openclaw/*.json. If those files contain other service credentials, relocate or strip them first.
- The skill caches access tokens in /tmp/ezviz_global_token_cache/global_token_cache.json (file mode 0600). If you are uncomfortable with a shared local cache, set EZVIZ_TOKEN_CACHE=0 or run the skill in an isolated environment/container and clear the cache after use.
- Inspect the bundled scripts (scripts/generate_preview.py and lib/token_manager.py) yourself if you are unsure; they appear to call only the documented Ezviz API domain (openai.ys7.com) and perform local file I/O for caching and config lookup.
- If you need higher assurance, run the skill on an isolated machine or container, and rotate/revoke AppKey/AppSecret after testing.
If you want, I can list the exact lines where config files are read and where the cache is written so you can review them quickly.Like a lobster shell, security has layers — review code before you run it.
latestvk973sch46zpte791nj6swg2a0h837txx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📺 Clawdis
EnvEZVIZ_APP_KEY, EZVIZ_APP_SECRET
Primary envEZVIZ_APP_KEY