海康云眸设备通道管理
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: hik-cloud-open-device-channel-management Version: 1.0.0 The skill bundle is a legitimate integration for managing Hik-Cloud device channels. The primary script (hik_open_device_channel_management.py) implements standard OAuth2 authentication and interacts with official Hikvision API endpoints (api2.hik-cloud.com). It follows security best practices by handling token management internally and caching credentials in a standard local directory (~/.cache/hik_open/token.json) rather than exposing them to the user. No evidence of malicious intent, data exfiltration, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken invocation could rename a channel or synchronize channel data for the wrong device.
The skill exposes API operations that can modify or synchronize cloud/device channel state. This is disclosed and aligned with the stated purpose, but it is still a mutating capability.
本技能只处理以下能力: - 查询设备下通道列表 - 同步设备下通道 - 修改通道名称 - 同步设备通道名称
Use `list` to verify the device and channel first, and require clear user confirmation before running `sync`, `rename`, or `sync-names` in sensitive environments.
The skill can act with whatever permissions the configured Hik-Cloud application credentials grant.
The script uses the Hik-Cloud client ID and secret to obtain an OAuth access token. This is expected for the integration, and no unrelated credential use is shown.
"client_id": client_id, "client_secret": client_secret, "grant_type": "client_credentials", "scope": "app"
Use least-privilege Hik-Cloud application credentials, store them securely, rotate them if exposed, and avoid setting `HIK_OPEN_BASE_URL` or `--base-url` to untrusted endpoints.
Anyone or any local process with access to the cache file may be able to reuse the cached access token until it expires.
The script persists OAuth token material in a local cache file for reuse. This is documented and purpose-aligned, but access tokens are sensitive.
DEFAULT_TOKEN_CACHE = Path.home() / ".cache" / "hik_open" / "token.json" ... cache_file.write_text(json.dumps(payload, ensure_ascii=False, indent=2), encoding="utf-8")
Protect the local cache directory, avoid sharing the account or home directory with untrusted users, and delete the token cache or rotate credentials if compromise is suspected.