海康云眸设备控制
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: hik-cloud-open-device-control Version: 1.0.0 The skill bundle is a legitimate tool for managing Hikvision Cloud devices via the Hik-Cloud OpenAPI. The primary script (hik_open_device_control.py) implements standard OAuth2 authentication, token caching in a local directory, and structured API calls using the Python standard library. No evidence of data exfiltration, malicious code execution, or prompt injection was found; the logic is well-documented, includes comprehensive unit tests, and aligns perfectly with the stated purpose of device control (PTZ, OSD, and storage management).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked too broadly or from an ambiguous request, the agent could change alarm state, move cameras, capture images, alter device settings, or start storage-card initialization.
The invocation scope covers sensitive device-control and storage-initialization actions, but the artifact does not show an explicit approval step or safety gate before executing these high-impact operations.
用户提到设备序列号、通道号、布防/撤防、抓图、云台转动、OSD 设置、校时、NTP 配置、存储卡初始化等场景时使用。
Require explicit user confirmation for mutating actions, especially storage initialization, arm/disarm, PTZ movement, capture, OSD/time/NTP changes, and verify device serial/channel before execution.
The configured credentials may grant access to control real Hik-Cloud devices, and a custom base URL would receive the token request.
The skill requires Hik-Cloud credentials and allows the authentication and device API base URL to be customized, which is expected for this provider integration but means credentials should only be used with trusted endpoints.
env: { HIK_OPEN_CLIENT_ID: "...", HIK_OPEN_CLIENT_SECRET: "...", HIK_OPEN_BASE_URL: "https://your-custom-base-url" } ... 认证接口和设备接口都跟随同一个 base URL。Use least-privilege Hik-Cloud credentials, avoid sharing tokens, protect environment variables and cache files, and only set HIK_OPEN_BASE_URL or --base-url to trusted Hik-Cloud environments.