ClawHub

Ezviz Open Multimodal Analysis

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it captures Ezviz camera snapshots and sends them to Ezviz AI services for analysis, with sensitive behavior mostly disclosed.

Install only if you are comfortable sending selected camera snapshots, image URLs, device identifiers, prompts, and Ezviz credentials to Ezviz cloud endpoints. Use a dedicated least-privilege Ezviz AppKey/AppSecret, verify the configured device serials, prefer explicit environment variables over local config fallback, and disable token caching with EZVIZ_TOKEN_CACHE=0 on shared or high-security machines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill silently reads Ezviz credentials from unrelated local OpenClaw config files, expanding the trust boundary beyond the declared environment variables. This can cause unintended credential use, cross-context secret exposure, and surprising access to cameras/accounts the operator did not explicitly authorize for this run.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document describes obtaining an access token and sending captured media URLs to third-party EZVIZ AI endpoints, but it does not clearly warn that credentials and surveillance-derived media will be transmitted to external services. In a camera-analysis skill, this matters because users may process sensitive monitoring imagery without explicit disclosure of privacy, retention, or data-handling implications.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill captures camera images and transmits them to remote analysis services, but the user-facing messaging in the code does not provide an explicit privacy warning or consent checkpoint at execution time. In a surveillance context, this raises meaningful privacy and compliance risk because sensitive visual data may be sent off-device without sufficiently explicit notice.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal