critical
suspicious.exposed_secret_literal
- Location
- references/ezviz-api-docs.md:138
- Finding
- File appears to expose a hardcoded API secret or token.
Ezviz Open Capture Phone Detect
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A local user or log collector could capture credentials that can access configured Ezviz camera/device APIs.
Why it was flagged
The documented command-line mode puts the Ezviz app secret directly in process arguments, which can be visible in shell history and local process listings.
Skill content
python3 {baseDir}/scripts/phone_detection_alert.py appKey appSecret "dev1,dev2,dev3" 1Recommendation
Prefer environment variables or a secret manager, remove or discourage CLI secret arguments, and use least-privilege Ezviz credentials.
What this means
Anyone with access to those logs or transcripts before the link expires may be able to view the captured camera image.
Why it was flagged
In the stated workflow, image_url is the temporary camera snapshot URL; printing it can place a private surveillance-image link into OpenClaw output, logs, or retained context.
Skill content
print(f"[INFO] Analyzing image for phone usage: {image_url}")Recommendation
Redact or truncate signed image URLs by default, only show them under an explicit debug flag, and avoid retaining camera URLs in agent context.
What this means
If these values are real, they may be compromised; even if examples, they reduce trust in the package’s handling of secrets.
Why it was flagged
The bundled reference documentation contains real-looking API credential material. It is not shown as used by the script, but shipping secret-like values is unsafe artifact hygiene.
Skill content
appKey=9mqitppidgce4y8n54ranvyqc9fjtsrl&appSecret=096e7650...
Recommendation
Replace all credential/token examples with obvious placeholders and rotate/revoke any values that may be live.
What this means
Running the skill can cause speakers on the configured devices to play an alert, including in test mode or across multiple device serials.
Why it was flagged
The skill can upload audio and command configured Ezviz devices to play it. This is core to the stated alerting purpose, but it is still a physical-device action.
Skill content
5. 上传语音 (accessToken + audio.mp3 → fileUrl) ... 6. 下发播放 (accessToken + deviceSerial + fileUrl → 设备播放)
Recommendation
Use only with devices and locations you control, verify device serials carefully, and avoid scheduled/automatic runs without consent.
What this means
Surveillance images and device identifiers leave the local environment and are processed by Ezviz and related providers.
Why it was flagged
The skill clearly discloses that camera snapshots and related device data are sent to third-party provider services for analysis and playback.
Skill content
摄像头抓拍图片 | `open.ys7.com` (萤石) | AI 玩手机行为分析 ... 包含监控画面
Recommendation
Confirm privacy/legal consent for monitored spaces and review provider data-retention and access policies before use.