Skillv1.0.0

ClawScan security

smarthome · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 3:13 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly implements the promised Home Assistant + Tuya control, but there are inconsistent metadata and documentation vs. code differences (env-var support missing, discovery stubbed) and mismatched package metadata that warrant caution before installing.
Guidance: Proceed with caution. The implementation aligns with controlling Home Assistant and Tuya, but there are red flags: (1) registry metadata (name/owner/version) differs from the internal _meta.json and README — this can indicate repackaging or poor publishing hygiene; (2) SKILL.md documents environment-variable setup that the script does not implement (the script only reads a config file); (3) the discovery command is a placeholder and may not populate the device cache as promised. Before installing, review scripts/smart.py locally and: (a) ensure you create the config file at ~/.config/universal-smarthome/config.json rather than relying on env vars, (b) inspect network endpoints you configure (the script will contact the HA URL you provide and the Tuya endpoint), (c) avoid pasting real production credentials until you’ve tested in a safe environment, and (d) consider running the script in an isolated host or container and reading the source to ensure no unexpected data-sending behavior. If you need higher assurance, ask the publisher to reconcile the metadata and update the documentation or provide a vetted release from a known homepage/source.

Review Dimensions

Purpose & Capability: noteThe code (scripts/smart.py) implements Home Assistant control and Tuya cloud calls as described, and stores credentials locally — so purpose matches implementation. However the package/registry metadata (ownerId/slug/version) does not match the internal _meta.json and the SKILL name (smarthome vs universal-smarthome), which could indicate repackaging or sloppy publishing.
Instruction Scope: concernSKILL.md documents two setup options (config file OR environment variables). The script only reads a config file (~/.config/universal-smarthome/config.json) and does not read the documented environment variables; discovery is advertised but the discovery command is a stub (does not actually fetch/merge devices). This mismatch between runtime instructions and actual behavior is scope-creep/incorrect documentation and could confuse users when credentials placed in env vars are ignored.
Install Mechanism: okThis is an instruction-only skill with no install spec — nothing is automatically downloaded or written during install. The only file that runs is the included script; no external install URLs or archive downloads are present.
Credentials: noteThe skill legitimately needs Home Assistant token and Tuya access_id/access_secret to function; the script expects those in a local config file. Registry metadata lists no required env vars/credentials (which is inconsistent with SKILL.md), but the credentials requested are proportional to the stated purpose. There is no evidence the code requests unrelated credentials.
Persistence & Privilege: okThe skill does not request persistent always:true, does not modify other skills or system-wide configs, and only stores config/cache under ~/.config/universal-smarthome, consistent with its purpose.