Ezviz Open PTZ Control

ReviewAudited by ClawScan on May 10, 2026.

Overview

The skill mostly matches its Ezviz camera-control purpose, but its credential handling conflicts with its safety claims and may expose Ezviz secrets through command-line arguments.

Install only if you are comfortable granting this skill control over your Ezviz PTZ devices. Use a dedicated minimal-permission Ezviz app key, prefer environment variables, avoid putting secrets in command lines, and consider disabling or clearing the token cache in sensitive environments.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI03: Identity and Privilege Abuse

What this means

A user may unintentionally expose Ezviz account credentials while trying to use the skill.

Why it was flagged

The script requires the Ezviz app key and secret as command-line arguments, which conflicts with the SKILL.md and registry expectation that environment variables are used. Command-line secrets can be exposed through shell history, logs, or local process listings.

Skill content

print("Usage: python3 main.py appKey appSecret <command> [params...]") ... app_key = sys.argv[1]
app_secret = sys.argv[2]

Recommendation

Change the script to read EZVIZ_APP_KEY and EZVIZ_APP_SECRET from the environment by default, avoid passing secrets as CLI arguments, and rotate credentials if they were used on the command line.

Low

#ASI03: Identity and Privilege Abuse

What this means

Anyone who can read the local cache file as the same user could reuse the Ezviz access token until it expires.

Why it was flagged

The skill stores Ezviz access tokens in a local cache file. This is disclosed and protected with owner-only file permissions, but the token is still a sensitive account credential.

Skill content

"access_token": access_token,
"expire_time": expire_time,
"created_at": get_current_timestamp(), ... os.chmod(cache_file, 0o600)

Recommendation

Use minimal-permission Ezviz credentials, disable caching with EZVIZ_TOKEN_CACHE=0 in high-security environments, and periodically clear the token cache.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

If invoked with the wrong device serial or parameters, the camera angle or saved presets could be changed unexpectedly.

Why it was flagged

The skill directly calls Ezviz APIs that move cameras and clear preset positions. This is aligned with the stated PTZ-control purpose, but it is device-state mutation.

Skill content

url = f"{API_BASE_URL}/api/lapp/device/ptz/start" ... url = f"{API_BASE_URL}/api/lapp/device/preset/clear"

Recommendation

Confirm the target device, channel, direction, speed, and preset index before running mutating commands such as ptz_start, preset_move, preset_clear, or mirror.