Ezviz Open Picture
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill largely matches its Ezviz camera-snapshot purpose, but its documentation includes real-looking Ezviz credentials and it handles long-lived camera access tokens, so it should be reviewed before use.
Before installing, do not copy the README's example credentials. Use your own dedicated Ezviz app key/secret with minimal permissions, set them through environment variables, and consider `EZVIZ_TOKEN_CACHE=0` if you do not want access tokens stored locally. Treat captured images and returned picture URLs as sensitive.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent could accidentally reuse these example credentials, or a real Ezviz application secret may be exposed in the package.
The documentation contains concrete credential-looking values, including an app secret, instead of placeholders. Hardcoded provider credentials are not needed for the stated camera-capture purpose and may be real or encourage unsafe copying.
python3 lib/token_manager.py get --app-key "26810f3acd794862b608b6cfbc32a6b8" --app-secret "3155063e93f09f377eaf5ba9f321f8c2"
Replace the values with obvious placeholders, rotate the exposed Ezviz app secret if it is real, and use only your own dedicated minimal-permission credentials.
The skill may use Ezviz credentials stored in local OpenClaw configuration files if environment variables are not set.
If environment variables are missing, the skill reads local OpenClaw config files and extracts `channels.ezviz` credentials. This is disclosed and scoped, but it is still local credential/profile access.
config_paths = [os.path.expanduser("~/.openclaw/config.json"), os.path.expanduser("~/.openclaw/gateway/config.json"), os.path.expanduser("~/.openclaw/channels.json")]; ezviz_config = channels.get("ezviz", {})Set `EZVIZ_APP_KEY`, `EZVIZ_APP_SECRET`, and `EZVIZ_DEVICE_SERIAL` explicitly, and keep Ezviz credentials dedicated and least-privileged.
A cached token could be reused by local processes running as the same user, or exposed through backups/log collection of temp files.
The skill persists Ezviz access tokens in a global cache file. The code attempts owner-only permissions, and the SKILL.md discloses caching, but cached tokens can authorize camera API access until expiry.
all_cache[cache_key] = { "access_token": access_token, "expire_time": expire_time, ... }; os.chmod(cache_file, 0o600)Disable caching with `EZVIZ_TOKEN_CACHE=0` in high-security environments, and periodically clear the token cache when it is no longer needed.
Installing the skill gives the agent a way to request live snapshots from configured cameras when invoked.
The tool can call Ezviz's capture API for one or more device serials using the user's access token. This is the advertised function, but it is a privacy-sensitive action.
DEVICE_CAPTURE_API_URL = "https://openai.ys7.com/api/lapp/device/capture"; data = { "accessToken": access_token, "deviceSerial": device_serial.upper(), "channelNo": str(channel_no) }Use the skill only for intended cameras, keep device serial lists scoped, and avoid sharing returned picture URLs or downloaded images unnecessarily.