Ezviz Open Picture

The skill captures images from Ezviz cameras but exhibits high-risk behavior by scanning platform-level configuration files (~/.openclaw/config.json, ~/.openclaw/gateway/config.json, and ~/.openclaw/channels.json) to extract credentials. While this is documented as a fallback mechanism in SKILL.md, it grants the skill access to sensitive platform-wide data beyond its immediate scope. Additionally, the skill implements a global token cache in the system's temporary directory (/tmp/ezviz_global_token_cache/), which persists sensitive access tokens. Although the code includes security validations (e.g., regex for device serials in scripts/device_capture.py and 0600 file permissions in lib/token_manager.py) and uses the official Ezviz API (openai.ys7.com), the broad file system access to platform configs is a significant security risk.