Homey - Home Automation
v1.0.0Control Homey home automation hub via CLI. Use when you need to control smart home devices (lights, thermostats, sockets, etc.), check device status, list zones, trigger flows, or perform any Homey automation tasks. Supports on/off, dimming, color changes, temperature control, and device inspection. Safe, capability-allowlisted operations only.
⭐ 3· 2k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The stated purpose (control Homey via CLI) legitimately requires Homey OAuth credentials and a CLI implementation. However, registry metadata lists no required environment variables or binaries while SKILL.md explicitly requires HOMEY_CLIENT_ID, HOMEY_CLIENT_SECRET, HOMEY_REDIRECT_URL and a local CLI (run.sh). This metadata/instruction mismatch is incoherent.
Instruction Scope
SKILL.md directs the agent to run 'npm install' and 'bash run.sh' and to perform an OAuth login that stores tokens under ~/.config/homey-cli/. Those runtime actions involve executing code and storing credentials; the instruction set itself is focused on Homey tasks, but it presumes the presence of local code (run.sh and a package) that is not included—granting an agent permission to run arbitrary install/run steps without bundled code is risky.
Install Mechanism
There is no declared install spec in the registry, yet SKILL.md instructs running 'npm install' in 'skills/homey-cli' and using a run.sh script. Because no code files are present in the bundle, following these steps would pull packages from npm and try to execute a local script that doesn't exist in the skill archive. That combination (no install metadata + instructions to fetch and run code) is disproportionate and increases risk.
Credentials
The environment variables described in SKILL.md (HOMEY_CLIENT_ID, HOMEY_CLIENT_SECRET, HOMEY_REDIRECT_URL, and optional HOMEY_CLI_ALLOWED_CAPABILITIES) are appropriate for an OAuth-based Homey CLI. However, the skill metadata declares no required env vars or primary credential, which is inconsistent. The skill will also store tokens in the user's home (~/.config/homey-cli/), which is expected but should be disclosed in metadata.
Persistence & Privilege
The skill does not request always:true and does not ask to modify other skills or system-wide settings. It will store credentials and config in ~/.config/homey-cli/, which is a normal behavior for a CLI and reasonable for its purpose. Autonomous invocation is allowed by default (not a standalone red flag).
What to consider before installing
Do not install or run this skill without verifying its source and contents. Specific checks to perform before using it:
- Confirm there is a publicly viewable code repository or official release (homepage/source is missing). If none exists, treat the package as untrusted.
- Inspect run.sh and package.json (or equivalent) before running npm install; those files are not included in the skill bundle but SKILL.md expects them. Running npm install could pull arbitrary code.
- Only create a Homey OAuth client and provide client secret if you trust the code that will use it. Prefer creating a client with the minimum scopes and revoke it if you suspect misuse.
- Because tokens are stored under ~/.config/homey-cli/, plan where those credentials will live and consider using a throwaway account or isolated environment (VM/container) while testing.
- Ask the publisher for the missing install files or a link to the code repository; if they cannot supply them or the run.sh/package contents look suspicious, do not proceed.
If you want to proceed safely: obtain the exact CLI code, review it (or have someone audit it), run installs in a sandbox, and only then configure real credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk9789vya00dea7ybh7aqdc3j1x7ztqwp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.