Ezviz Open Safety Production Inspection
v1.0.0Ezviz safety production inspection skill. Captures device images and sends to Ezviz AI for workplace safety analysis.
⭐ 0· 111·0 current·0 all-time
byEzvizOpenTeam@ezviz-open
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description match the code and runtime instructions: the skill authenticates to Ezviz (open.ys7.com), captures device images, may create/modify intelligent agents, and sends images to aidialoggw.ys7.com for AI analysis. The required environment variables (EZVIZ_APP_KEY, EZVIZ_APP_SECRET, EZVIZ_DEVICE_SERIAL) are appropriate for Ezviz API access.
Instruction Scope
Instructions explicitly describe remote side effects (query agent list, create agent from a template, capture images, send images to aidialoggw.ys7.com). The SKILL.md and scripts also read local OpenClaw config files (~/.openclaw/*) as a credential fallback, and include pre-run verification commands that read the skill files. Those fallbacks are documented in SKILL.md but may be surprising: the skill can proceed using stored credentials from config files even if you did not export env vars.
Install Mechanism
No external install/downloads; this is an instruction-and-script skill that depends on the requests Python package (declared in SKILL.md). There is no arbitrary remote install URL or extracted archive.
Credentials
Requested credentials are proportional to the stated purpose (Ezviz app key/secret and device serial). The skill also supports optional env vars (EZVIZ_TOKEN_CACHE, EZVIZ_SAFETY_TEMPLATE_ID, EZVIZ_CHANNEL_NO) and will fall back to credentials in ~/.openclaw config files. That fallback may cause the skill to use stored credentials without explicit env vars, which users should be aware of.
Persistence & Privilege
The skill does not request always:true and does not modify system-wide agent settings beyond creating/renaming agents in the Ezviz account (an intended remote side effect). It creates a global token cache in /tmp/ezviz_global_token_cache/global_token_cache.json (file permission set to 0600). Token caching is deliberate and documented, but storing tokens in a shared tmp directory is a potential privacy consideration on multi-user hosts.
Assessment
This skill appears to do what it says: it will authenticate to Ezviz, possibly create or rename an intelligent agent with '安全生产' in the name, capture device images, and send them to Ezviz's AI analysis endpoint (aidialoggw.ys7.com). Before installing or running it:
- Use a dedicated Ezviz app key/secret with minimal permissions (capture + agent management) as recommended.
- Be aware the script will look for credentials in ~/.openclaw/* if env vars aren't present — remove or audit stored config files if you don't want those credentials used.
- The skill caches access tokens under /tmp/ezviz_global_token_cache/global_token_cache.json and sets the file to 0600; review that directory on your host if multiple users share it. Consider disabling caching (EZVIZ_TOKEN_CACHE=0) for higher security.
- The skill will send images to aidialoggw.ys7.com and may create agents in your Ezviz account — test with non-production devices and review the two included files (scripts/safety_production_inspection.py and lib/token_manager.py) before execution.
If you need higher assurance, ask the author for an explicit code review checklist (particularly for token cache directory permissions and the exact agent creation payload), or run the scripts in an isolated environment (container) and with non-production credentials first.Like a lobster shell, security has layers — review code before you run it.
latestvk976dkh67hv4hk2q0w2354jz2d8368rx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⚠️ Clawdis
EnvEZVIZ_APP_KEY, EZVIZ_APP_SECRET, EZVIZ_DEVICE_SERIAL
Primary envEZVIZ_APP_KEY