Back to skill
Skillv1.0.1
ClawScan security
govee-control · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 17, 2026, 3:01 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions align with its stated purpose: it is an instruction-only guide for using the Govee OpenAPI and only asks for the single Govee API key and standard tools (bash/curl).
- Guidance
- This skill is coherent and instruction-only, but follow basic precautions: only store GOVEE_API_KEY in a per-user secrets file (as described) and do not paste it into chats or public repos; verify network egress to https://developer-api.govee.com is intended; review any curl commands before running them (ensure device and model IDs are your own); if you allow the agent to run shell commands autonomously, restrict its permissions and confirm it cannot read other secret files — those runtime execution privileges are separate from the skill content.
Review Dimensions
- Purpose & Capability
- okName/description, required binaries (bash, curl), required env var (GOVEE_API_KEY), and all curl commands target developer-api.govee.com — these are coherent and expected for a Govee API control guide.
- Instruction Scope
- okSKILL.md contains concrete curl commands and step-by-step guidance for obtaining, storing, and using GOVEE_API_KEY. It stays focused on device discovery/state/control and explicitly warns not to read unrelated secrets or publish keys. Instructions reference only per-user files under $HOME for storing the key, which is appropriate for this purpose.
- Install Mechanism
- okThere is no install spec and no code files. Being instruction-only means nothing is downloaded or written by an installer, minimizing risk.
- Credentials
- okOnly GOVEE_API_KEY is required and declared as the primary credential. No unrelated credentials, system config paths, or excessive env variables are requested.
- Persistence & Privilege
- okalways is false and the skill does not request persistent/privileged system presence or modify other skills' configs. Autonomous invocation is allowed by platform default but that is not unusual for an instruction-only skill.