critical
suspicious.dynamic_code_execution
- Location
- tests/test_hik_open_device_alarm_capability_management.py:22
- Finding
- Dynamic code execution detected.
海康云眸设备告警能力管理
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dynamic_code_execution
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
A wrong device, channel, ability code, status, or enable value could unintentionally turn alarm or detection behavior on or off.
Why it was flagged
The skill can modify alarm capability status and smart-detection switches. That is directly aligned with the stated purpose, but these are security-device settings and mistakes could affect monitoring.
Skill content
本技能只处理以下能力: - 获取设备常规报警能力列表 - 修改报警能力状态 - 设备智能检测开关状态
Recommendation
Use the list operation first when unsure, and confirm the exact deviceSerial, channelId, abilityCode/type, and desired status before running update-status or intelligence-switch.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Anyone who can access these environment variables or the cached token may be able to perform the same device-management actions allowed by the Hik OpenAPI credentials.
Why it was flagged
The skill uses OAuth/client credentials and token storage to act against the user's Hik-Cloud account. This is expected for the integration, but the credentials and cached token are sensitive.
Skill content
token 来源优先级: - `--access-token` - `HIK_OPEN_ACCESS_TOKEN` - token cache - `HIK_OPEN_CLIENT_ID + HIK_OPEN_CLIENT_SECRET` 自动换取
Recommendation
Provide credentials only through trusted OpenClaw environment configuration, avoid exposing tokens on command lines or logs, and protect or periodically clear the local token cache.