ClawHub
Back to skill
v1.0.0

Hik Cloud Device Alarm Capability Management

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:12 AM.

Analysis

This skill is purpose-aligned, but it can change security-device alarm settings and handles Hik-Cloud credentials in ways users should review carefully before installing.

GuidanceInstall only if you trust this skill with Hik-Cloud app credentials and permission to change device alarm settings. Use least-privileged credentials, keep the base URL on a trusted Hik endpoint, confirm all mutation commands before execution, and protect or clear the local token cache.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
references/device-alarm-capability-management.md
`update-status`:修改报警能力状态 ... `status` = 常规报警能力状态 ... `0` 关/撤防、`1` 开/布防

The skill can change whether alarm capabilities are armed or disarmed, but the artifacts do not show an explicit approval or rollback safeguard before these mutations.

User impactIf invoked with the wrong device, channel, ability code, or state, the agent could change security alarm behavior on Hik-Cloud devices.
RecommendationRequire explicit user confirmation of deviceSerial/channelId, abilityCode/type, and target state before running mutation commands; prefer listing current state first.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
references/auth.md
参数:`client_id`、`client_secret` ... 认证接口与业务接口统一跟随当前 base URL ... `HIK_OPEN_BASE_URL`(可选,用于指定自定义环境域名)

OAuth credentials are sent to the current base URL, and the base URL is configurable; the artifacts do not show an allowlist or HTTPS-only restriction for where the client secret may be sent.

User impactA mistaken or prompt-influenced custom base URL could disclose Hik-Cloud credentials or tokens to an unintended service.
RecommendationUse only trusted Hik-Cloud endpoints, avoid accepting base URLs from task text, and add domain/HTTPS validation or an allowlist for OAuth requests.
Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/hik_open_device_alarm_capability_management.py
DEFAULT_TOKEN_CACHE = Path.home() / ".cache" / "hik_open" / "token.json" ... cache_file.write_text(json.dumps(payload, ensure_ascii=False, indent=2), encoding="utf-8")

The helper writes token material to a persistent local cache file, which is expected for automatic token refresh but sensitive.

User impactOAuth access tokens may remain on disk after the task and could be read by local processes or users with access to that file.
RecommendationStore the cache in a protected location, restrict file permissions, clear the cache when no longer needed, and rotate credentials if exposure is suspected.