设备

Use when querying or modifying device configurations on ESD service, calling REST APIs with sigV2 authentication on HK baseline or STG environments

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 0 · 13 · 0 current installs · 0 all-time installs

by@maydayily

MIT-0

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

high confidence

ℹ

Purpose & Capability

The SKILL.md clearly documents APIs for querying and modifying ESD device configuration (getCurrentSetting, saveSettingByPaths). That aligns with the name/description. However the doc embeds an AccessKey and Secret (AccessKey: '42435117-1e6', Secret: '6mCBWg13tedIsdv8A56P') and an example token — hard-coded credentials are included in the skill content rather than declared as required environment variables, which is unusual and potentially inappropriate.

Instruction Scope

Instructions tell the agent to build MD5-based signatures and call remote endpoints via curl (HK and STG base URLs). They also include examples that modify device config using savetype=3 (explicitly described as bypassing the queue and writing directly). The instructions do not read local files or extra environment variables, but they do enable powerful remote actions (direct device writes) and supply credentials inline, which broadens the skill's effective permissions beyond what a neutral instruction-only helper should ship with.

✓

Install Mechanism

No install spec and no code files — lowest-risk delivery mechanism in terms of local persistence and arbitrary downloads.

Credentials

The skill declares no required environment variables or primary credential, yet the SKILL.md contains explicit AccessKey/Secret/token values. Requesting no env vars while publishing usable credentials in the doc is inconsistent and suspicious: either the author intentionally embedded reusable credentials (risk) or failed to declare/protect required secrets. This also means the agent could call the remote service without the user's credentials.

✓

Persistence & Privilege

always is false and there is no install step that modifies agent/system configuration. However the skill can be invoked autonomously (default) — combined with the embedded credentials and direct-write instructions, that increases operational risk if the skill is allowed to run without restrictions.

What to consider before installing

This skill appears to do what it says (ESD device queries and updates) but contains hard-coded credentials and examples that perform direct writes (savetype=3) — the combination is risky. Before installing or using it: 1) Do not assume embedded keys are safe — treat them as sensitive and verify their origin; 2) Prefer a version that requires you to supply credentials via environment variables or a secrets manager rather than using literals in SKILL.md; 3) If you must use it, run it only in an isolated/test account or environment and rotate any exposed credentials; 4) Disable or restrict autonomous invocation for untrusted skills so they cannot call the endpoints without explicit user approval; 5) Verify the publisher and whether those keys are intended test credentials for public use. If you cannot verify provenance, avoid installing or executing the modification examples.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0

Download zip

latestvk97b4ygyf92x8x274ethadnqm9830z56

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

ESD 设备配置查询与修改

Overview

ESD（设备配置分发服务）提供设备配置的查询和修改接口。所有环境使用统一的 sigV2 签名认证，仅 Base URL 不同。

When to Use

查询设备在 ESD 配置中心的当前配置
修改设备配置（如 webSocket support、timezone、statusLight 等）
排查设备消息投递问题（XMPP vs WebSocket 路由）
验证 Blade 双写后 ESD MySQL 中的配置值

Quick Reference

环境参考

项目	香港基线 (HK)	海外测试 (STG)
Base URL	`https://psh-esd.closeli.com/lecam`	`https://esd.stg.closeli.com/lecam`
认证路径	`/sigV2/`	`/sigV2/`
AccessKey	`42435117-1e6`	`42435117-1e6`
Secret	`6mCBWg13tedIsdv8A56P`	`6mCBWg13tedIsdv8A56P`
测试设备	—	`xxxxS_tjl31070009`
测试 Token	—	`495f127d3b0440afa2d5693381fd32ac`

认证路径对比

路径	认证方式	说明
`/service/*`	DES 加密	旧接口，需要加密 jsonObject
`/sigV2/*`	accessKey + signature	推荐，无需 DES 加密
`/sigV3/*`	accessKey + signature	与 sigV2 相同认证方式

签名算法

signature = md5(secret + "accessKey=<accessKey>jsonObject=<jsonObject>")

规则：

将所有参数（排除 signature 本身）按 key 字母序排序
拼接为 key=value 格式（无分隔符）
在前面拼接 secret
对整个字符串做 MD5

API 1: 查询设备当前配置 (getCurrentSetting)

端点: POST /sigV2/profile/app/getCurrentSetting

jsonObject 格式:

{"deviceid":"<设备ID>","token":"<token>"}

完整调用示例:

DEVICE_ID="xxxxS_54f29f143034"
TOKEN="4c873406fa384908a0b0c644d4a4bd05"
SECRET="6mCBWg13tedIsdv8A56P"
ACCESS_KEY="42435117-1e6"
# 根据环境选择 Base URL
BASE_URL="https://psh-esd.closeli.com/lecam"       # HK
# BASE_URL="https://esd.stg.closeli.com/lecam"      # STG

JSON="{\"deviceid\":\"${DEVICE_ID}\",\"token\":\"${TOKEN}\"}"
SIG_STRING="${SECRET}accessKey=${ACCESS_KEY}jsonObject=${JSON}"
SIGNATURE=$(echo -n "$SIG_STRING" | md5sum | awk '{print $1}')

curl -s -X POST "${BASE_URL}/sigV2/profile/app/getCurrentSetting" \
  --data-urlencode "accessKey=${ACCESS_KEY}" \
  --data-urlencode "jsonObject=${JSON}" \
  --data-urlencode "signature=${SIGNATURE}"

成功响应: failflag: "0"，content 字段包含完整设备配置 XML。

API 2: 修改设备配置 (saveSettingByPaths)

端点: POST /sigV2/profile/saveSettingByPaths

jsonObject 格式:

{
  "deviceid": "<设备ID>",
  "token": "<token>",
  "savetype": "3",
  "paths": [
    {
      "path": "profile/general/webSocket",
      "element": "<webSocket support=\"1\"/>"
    }
  ]
}

savetype 说明:

savetype	行为
`0`	保存配置，不通知设备（APP 端常用）
`1`	保存配置，不通知设备
`2`	保存配置，通知设备
`3`	保存配置，通知设备（直接写入，绕过队列）

注意: ESD 开启 saveSupportQueueSwitch 时，saveSettingAttrByPaths 会被放入队列异步处理。使用 saveSettingByPaths + savetype=3 可直接写入。

完整调用示例:

DEVICE_ID="xxxxS_54f29f143034"
TOKEN="4c873406fa384908a0b0c644d4a4bd05"
SECRET="6mCBWg13tedIsdv8A56P"
ACCESS_KEY="42435117-1e6"
BASE_URL="https://psh-esd.closeli.com/lecam"

JSON="{\"deviceid\":\"${DEVICE_ID}\",\"token\":\"${TOKEN}\",\"savetype\":\"3\",\"paths\":[{\"path\":\"profile/general/webSocket\",\"element\":\"<webSocket support=\\\"1\\\"/>\"}]}"
SIG_STRING="${SECRET}accessKey=${ACCESS_KEY}jsonObject=${JSON}"
SIGNATURE=$(echo -n "$SIG_STRING" | md5sum | awk '{print $1}')

curl -s -X POST "${BASE_URL}/sigV2/profile/saveSettingByPaths" \
  --data-urlencode "accessKey=${ACCESS_KEY}" \
  --data-urlencode "jsonObject=${JSON}" \
  --data-urlencode "signature=${SIGNATURE}"

成功响应: failflag: "0"

API 3: 版本查询

curl -s https://esd.stg.closeli.com/lecam/version
# 返回: ESD_3.1.0_20260316_B1491_8cbf78e7

Common Mistakes

错误	原因	解决方案
`failflag: "1007"`, `For input string: "{"`	使用了 `/service/` 路径（需要 DES 加密）	改用 `/sigV2/` 路径
`failflag: "9999"`, `signature error`	签名计算错误	检查参数排序、secret 拼接
`failflag: "1005"`, system error	`getSettingByPaths` 接口异常	改用 `getCurrentSetting` 查询
配置修改后未生效	`saveSupportQueueSwitch` 开启，请求被队列化	使用 `saveSettingByPaths` + `savetype=3`

Files

1 total

Select a file

Select a file to preview.

Comments

Loading comments…