ClawHub

Ezviz Open Capture Phone Detect

v1.0.10

通过萤石摄像头抓拍并AI检测玩手机行为,检测到则生成语音告警并下发至设备播放。

2· 299·0 current·0 all-time
byEzvizOpenTeam@ezviz-open
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill is an Ezviz-based phone-usage detection + voice-alert tool. It legitimately needs Ezviz appKey/appSecret and device serials, calls Ezviz capture/detection/voice APIs, and uses edge-tts for TTS — all consistent with the described functionality. Note: the registry metadata at the top-level showed no required env vars, while SKILL.md and the script declare EZVIZ_APP_KEY, EZVIZ_APP_SECRET and EZVIZ_DEVICE_SERIAL as required; this is a packaging/metadata mismatch to be aware of.
Instruction Scope
SKILL.md and the script limit actions to Ezviz APIs and edge-tts; they do not request unrelated system files or unrelated cloud credentials. The instructions explicitly state image/TTS/voice flows and list third-party endpoints. Important privacy behavior: camera images are sent to open.ys7.com for AI analysis, TTS text is sent to edge-tts.microsoft.com, and generated audio is stored via Alibaba OSS (aliyuncs.com). This is expected for the stated purpose but has significant privacy implications (camera frames leave the local environment).
Install Mechanism
No install spec is bundled; this is effectively an instruction+script package. Dependencies are typical (requests, edge-tts). No arbitrary downloads, custom binaries, or extract/install steps are present in the package metadata — lower install risk. The script relies on pip-installable libraries as documented.
Credentials
The required environment variables declared in SKILL.md (EZVIZ_APP_KEY, EZVIZ_APP_SECRET, EZVIZ_DEVICE_SERIAL, optional EZVIZ_CHANNEL_NO) are appropriate and proportionate for Ezviz API usage. There are no unrelated secrets requested. However, the top-level registry metadata lists 'Required env vars: none' which contradicts the SKILL.md; verify the runtime will receive the declared env vars. The SKILL.md also marks EZVIZ_APP_KEY as primaryEnv — that is logical for the service.
Persistence & Privilege
The skill does not request always:true or system-wide privileges. It caches accessToken in memory per SKILL.md/script and claims not to write tokens to disk. It does not attempt to modify other skills or global agent config.
Assessment
This skill appears to do what it says: capture Ezviz camera images, send them to Ezviz for phone-use detection, generate TTS via edge-tts, upload audio via Ezviz/OSS and trigger device playback. Before installing: 1) Verify you will supply EZVIZ_APP_KEY, EZVIZ_APP_SECRET, and device serial(s) (the package metadata omitted these but SKILL.md and the script require them). 2) Accept the privacy implications: camera frames are sent to Ezviz for analysis and TTS text is sent to Microsoft; ensure you have legal/organizational consent for surveillance. 3) Use least-privilege appKey/appSecret and avoid using main account credentials; rotate keys regularly. 4) Test in a controlled environment first (rate limits and device requirements are noted in SKILL.md). 5) If you need stronger guarantees about data handling, review the full script to confirm it truly avoids logging credentials or writing tokens to disk and confirm network endpoints are only those documented (open.ys7.com, aidialoggw.ys7.com, edge-tts.microsoft.com, aliyuncs.com). 6) If the top-level metadata mismatch worries you, ask the publisher to correct packaging so required env vars are visible in registry metadata.

Like a lobster shell, security has layers — review code before you run it.

latestvk978txjhnx6ym79vvmr5d3n11x82v63c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments