ClawHub

Ezviz Open Restaurant Inspection

Security checks across malware telemetry and agentic risk

Overview

The skill appears related to camera-based restaurant inspection, but it uses sensitive camera-account access and has under-scoped persistent/token and remote-agent side effects that should be reviewed before installation.

Install only if you are comfortable granting access to the relevant Ezviz camera account and sending captured images to the documented external analysis service. Use a dedicated least-privilege Ezviz account, limit configured devices, review or disable token caching if possible, and require explicit confirmation before any remote agent is created.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises substantial capabilities via metadata and documented behavior—environment access, config file reads, token caching, network calls, and shell-based verification steps—but there is no explicit declared permission model governing those actions. That creates a transparency and consent gap: users and orchestrators may underestimate the skill's access and side effects, especially credential access, local file interaction, and remote image transmission.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared purpose is image capture and AI inspection, but the skill also documents additional behaviors with security significance: reading local config files, persisting tokens in a shared /tmp location, querying agent inventories, and creating agents from templates. This mismatch is dangerous because hidden or underemphasized behavior reduces informed consent and can introduce persistent account-side changes and credential exposure beyond what users expect from a simple inspection workflow.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill expands its authority by automatically sourcing Ezviz credentials and device identifiers from environment variables and local OpenClaw config files, rather than requiring explicit per-run user input. In a skill context, this increases the chance of unintended access to additional devices/accounts and weakens the user's ability to narrowly scope what the skill may operate on.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The published skill description says it captures images and sends them for analysis, but the code also enumerates existing intelligent agents and can create a new remote agent from a template. This is a material undocumented side effect because it changes remote account state and broadens the operation beyond passive inspection.

Session Persistence

Medium
Category
Rogue Agent
Content
warnings:
      - "Use dedicated Ezviz credentials (not main account)"
      - "Queries intelligent agent list"
      - "May create agent from template"
      - "Captures device images"
      - "Sends images to aidialoggw.ys7.com"
      - "Token cached in /tmp/ezviz_global_token_cache/ (600)"
Confidence
88% confidence
Finding
create agent from template" - "Captures device images" - "Sends images to aidialoggw.ys7.com" - "Token cached in /tmp/ezviz_global_token_cache/ (600)" sideEffects: - "Query

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal