Philips Hue
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent local Philips Hue control skill, but it stores a Hue API key locally and can change real light states, so use it deliberately and protect its .env file.
This skill appears safe for its stated purpose. Before installing, make sure you are comfortable giving it a Hue bridge API key, keep the .env file private, and only allow the agent to run light-changing commands when that matches your intent.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who gets the .env file and can reach the bridge may be able to control the user’s Hue lights.
The skill relies on a Hue API key/username for bridge access. This is expected for Hue control, but the credential gives control over lights and should be protected.
USERNAME=your_api_key # Obtained after pairing
Keep .env private, do not paste the Hue API key into shared files or prompts, and revoke/regenerate the Hue username if it may have leaked.
An invocation can turn lights on or off or change brightness/color.
The script sends state-changing API requests to Hue lights. This is the intended function, but it can visibly change the user’s physical environment.
call_api "/lights/$ID/state" "$STATE"
Use the skill only for intended lighting actions, and review agent-initiated uses if you do not want autonomous light changes.
If an attacker can modify the skill’s .env file, they could cause local commands to run under the user’s account when the script is invoked.
The script sources .env as shell code rather than parsing it as data. This is a common pattern for shell configuration, but a tampered .env could execute commands when the skill runs.
if [ -f "$CONFIG_FILE" ]; then . "$CONFIG_FILE" fi
Only place simple BRIDGE_IP and USERNAME assignments in .env, keep the skill directory writable only by trusted users, and avoid copying untrusted .env content.
Future agent sessions may see and rely on the saved command reminder.
The documentation suggests adding persistent workspace guidance. It does not ask the user to store secrets there, but persistent tool notes can affect future agent behavior.
add a reminder of these commands in your `TOOLS.md` file at the root of your workspace
If adding a TOOLS.md reminder, keep it minimal and never include the Hue API key or other secrets.