Cinmoore Skill Devices
v1.0.0神眸智能设备控制技能:整合设备控制、视频录制、事件查询、VLM分析等原子能力,支持AI意图理解与自动化组合。Invoke when user wants to control devices, analyze video, query events, or understand device capabilities.
⭐ 0· 53·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description (device control, video recording, VLM analysis) matches the CLI commands in SKILL.md. However the skill metadata declares no required environment variables or credentials, while the README and SKILL.md clearly expect a .env file containing SDK credentials, LLM/VLM API keys, and user/password. That mismatch (no declared env but instructions requiring multiple secrets) is inconsistent and unexplained.
Instruction Scope
The SKILL.md instructs agents to download and only interact with a compiled executable for all operations and explicitly forbids inspecting its contents ("绝对不可" view the binary). It also directs creation/use of a .env file with many credentials. The instructions thus grant the binary broad access and attempt to prevent transparency or review — scope exceeds a simple CLI mapping and prevents independent verification.
Install Mechanism
Install steps (in openclaw.install) download platform-specific executables and FFmpeg from an Alibaba OSS bucket (super-acme-shoot-sh.oss-cn-shanghai.aliyuncs.com) and write them to disk. This is a high-risk pattern: arbitrary compiled code fetched from a third-party URL with no published checksums or provenance. No standard package/release host (GitHub release, official vendor) or signature is provided.
Credentials
Although the registry lists no required env vars, the README/.env template expects many sensitive values (SDK_APP_KEY/SECRET, SDK_USERNAME/PASSWORD, LLM_API_KEY, model endpoints). Requesting these secrets could be legitimate for LLM/VLM and device SDKs, but the skill fails to declare them in metadata and gives no justification for storing username/password alongside API keys. The combination of undeclared secrets + opaque binary is disproportionate.
Persistence & Privilege
always is false and the skill doesn't declare system-wide changes. The install writes binaries and a .env file into the working directory and claims it will register a global command (README), but the provided install commands only download files locally. Still, the binary could later persist or call home; the SKILL.md warning not to inspect the binary is an additional operational control that increases risk.
What to consider before installing
This skill raises several red flags you should consider before installing: it downloads and runs a closed-source executable from a third-party OSS URL (no checksums or signatures), asks you to store many sensitive credentials (API keys, username/password) even though the registry metadata lists none, and explicitly forbids inspecting the binary — which prevents auditing. If you need this functionality, prefer a vendor-signed release or published source code, ask for cryptographic checksums and a verifiable release host (e.g., GitHub Releases or vendor site), and insist on minimal required credentials. If you must test it: run it in an isolated sandbox or VM with no access to other sensitive systems or corporate credentials, monitor outbound network connections, and do not place real API keys or passwords in .env (use test accounts). Request from the publisher: (1) source code or reproducible build instructions, (2) signed binaries with checksums, (3) an explanation why credentials are required and which exact values are mandatory, and (4) confirmation that the local homepage (192.168.8.60) and the OSS download URLs are legitimate for your environment. Providing these will increase confidence and could change the assessment.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
🏠 Clawdis
latest
神眸智能设备控制技能 (CLI Agent Reference)
🔴 AI Agent 核心行为约束 (STRICT INSTRUCTIONS FOR LLM):
- 严禁越界:本技能是一个已经编译好的独立二进制程序(无需 Python 环境),你绝对不可尝试使用
cat、read等命令查看其内容,也绝对不可尝试编写 Python 脚本去调用它。- 唯一交互方式:你必须且只能使用下方的 CLI 命令来完成用户任务。所有的操作都必须通过直接运行该可执行文件来实现。
- 变量检查:在执行任何设备控制命令前,如果发现当前目录存在新建的
.env.cinmoore_skill_devices且包含your_app_key_here等默认值,必须先提醒用户补充完整真实的认证信息,或在执行命令时动态拼接全局参数(如--app-key xxx)。
核心 CLI 指令字典
注:以下示例使用 Linux 格式 (./cinmoore-skill-devices)。如果您在 Windows 下执行,请替换为 .\cinmoore-skill-devices.exe。所有命令均需在配置好 .env.cinmoore_skill_devices 或带有全局认证参数的前提下执行。
1. 设备基础查询与控制
- 获取设备信息:
./cinmoore-skill-devices device-info <设备名称> - 获取设备列表:
./cinmoore-skill-devices all-group-device-list - 查询设备能力集:
./cinmoore-skill-devices capabilities <设备名称> - 获取算法当前值:
./cinmoore-skill-devices algorithm-value <设备名称> - 设置算法开关:
./cinmoore-skill-devices set-algorithm <设备名称> <identifier> <value>(例: 关闭人形检测... set-algorithm 5500... PeopleDetectEnable 0)
2. 云台 (PTZ) 控制
- 转动云台:
./cinmoore-skill-devices ptz <设备名称> <动作> [--speed SLOW|MEDIUM|FAST](动作支持: LEFT / RIGHT / UP / DOWN / UP_LEFT 等) - 停止云台:
./cinmoore-skill-devices stop-ptz <设备名称> - 校准云台:
./cinmoore-skill-devices ptz-calibrate <设备名称>
3. 事件与视频媒体处理
- 查询报警事件:
./cinmoore-skill-devices query-events <设备名称> [--begin 时间戳] [--end 时间戳] - 开启直播流:
./cinmoore-skill-devices start-live <设备序列号> - 录制视频:
./cinmoore-skill-devices record <设备序列号> [--duration 秒数] [--output 输出路径] - 视频抽帧:
./cinmoore-skill-devices extract-frames <视频路径> <输出目录> [--mode fps|frame_count] [--fps 帧率] [--frame-count 帧数] - VLM 多图视觉分析:
./cinmoore-skill-devices see-analyze <抽帧目录> [--prompt 分析提示词]
4. 复合型 AI 自动化指令
- 自然语言意图直达:
./cinmoore-skill-devices ai-intent <设备名称> "<自然语言指令>"(例:... ai-intent SN123 "不想检测到人",自动解析并执行对应的算法开关) - 云台转动+录制组合:
./cinmoore-skill-devices ptz-record <设备名称> <动作> [--speed SLOW|MEDIUM|FAST] [--duration 秒数] [--output 输出路径] [--stop-duration 秒数]
Comments
Loading comments...