海康云眸设备通道管理
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent and purpose-aligned for Hik-Cloud device channel management, but it uses real cloud credentials, can change device channel state, and caches access tokens locally.
Install this only if you intend the agent to manage Hik-Cloud device channels using your configured credentials. Prefer limited-scope credentials, keep the token cache private, verify device serial/channel details before mutating actions, and only use trusted base URLs.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken invocation could rename a channel or synchronize channel data for the wrong device.
The skill exposes API operations that can modify or synchronize cloud/device channel state. This is disclosed and aligned with the stated purpose, but it is still a mutating capability.
本技能只处理以下能力: - 查询设备下通道列表 - 同步设备下通道 - 修改通道名称 - 同步设备通道名称
Use `list` to verify the device and channel first, and require clear user confirmation before running `sync`, `rename`, or `sync-names` in sensitive environments.
The skill can act with whatever permissions the configured Hik-Cloud application credentials grant.
The script uses the Hik-Cloud client ID and secret to obtain an OAuth access token. This is expected for the integration, and no unrelated credential use is shown.
"client_id": client_id, "client_secret": client_secret, "grant_type": "client_credentials", "scope": "app"
Use least-privilege Hik-Cloud application credentials, store them securely, rotate them if exposed, and avoid setting `HIK_OPEN_BASE_URL` or `--base-url` to untrusted endpoints.
Anyone or any local process with access to the cache file may be able to reuse the cached access token until it expires.
The script persists OAuth token material in a local cache file for reuse. This is documented and purpose-aligned, but access tokens are sensitive.
DEFAULT_TOKEN_CACHE = Path.home() / ".cache" / "hik_open" / "token.json" ... cache_file.write_text(json.dumps(payload, ensure_ascii=False, indent=2), encoding="utf-8")
Protect the local cache directory, avoid sharing the account or home directory with untrusted users, and delete the token cache or rotate credentials if compromise is suspected.