Back to skill
Skillv1.0.2
ClawScan security
Ezviz Open PTZ Control · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 19, 2026, 3:18 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and environment requirements are consistent with its stated purpose (controlling Ezviz PTZ devices); the main notable risk is the optional global token cache which shares tokens between processes running as the same user.
- Guidance
- This skill appears to do what it says, but review and follow these precautions before installing: - Use dedicated Ezviz AppKey/AppSecret with the minimal permissions required (do not use account master credentials). - If you do not want tokens persisted, set EZVIZ_TOKEN_CACHE=0 to disable caching; otherwise cached tokens are stored under /tmp/ezviz_global_token_cache/global_token_cache.json with 0600 permissions (usable by any process running as the same OS user). - Audit the included Python files (scripts/main.py and lib/token_manager.py) before running; the code performs network requests to https://openai.ys7.com (the declared Ezviz Open API). Ensure this domain is the expected provider for your region. - Run the skill under a dedicated system user or environment if you are concerned about other local processes reusing tokens. - Validate the code on your platform (some listed excerpts were truncated in the bundle preview — verify the full scripts run without syntax/name errors) and run in a sandbox or test account first. If you need higher assurance, request the full, untruncated source for inspection or run the tool in an isolated environment with test credentials.
Review Dimensions
- Purpose & Capability
- okName/description, required env vars (EZVIZ_APP_KEY, EZVIZ_APP_SECRET), and the code all align: the package calls Ezviz API endpoints to list devices, control PTZ, and manage presets. No unrelated services or credentials are requested.
- Instruction Scope
- okSKILL.md instructs only to provide Ezviz credentials, install requests, and optionally disable token caching. Runtime instructions and CLI examples call the documented Ezviz API endpoints (openai.ys7.com). The instructions do reference reading/writing a token cache in /tmp, which is relevant to token management and documented.
- Install Mechanism
- okThis is instruction-only with local Python scripts; dependencies are limited to the requests library. No external download or obscure install sources are used in the provided files.
- Credentials
- okOnly Ezviz credentials are required (EZVIZ_APP_KEY, EZVIZ_APP_SECRET) and are justified by the interaction with the Ezviz API. The SKILL.md explicitly recommends minimal-permission credentials. No unrelated secrets or system credentials are requested.
- Persistence & Privilege
- noteThe skill creates/uses a global token cache in the system temp directory (/tmp/ezviz_global_token_cache/global_token_cache.json) with file mode 0600. This is coherent for token reuse, but it means any other code running under the same OS user can also read/use the cached tokens. The skill is not marked always:true and does not modify other skills' configurations.