ClawHub

SwitchBot Smart Home Control

v1.0.0

Control SwitchBot smart home devices (curtains, plugs, lights, locks, etc.) via SwitchBot Cloud API. Use when user asks to open/close curtains, turn on/off lights/plugs, check temperature/humidity, or control any SwitchBot device.

1· 1.6k·2 current·2 all-time
byJu Chun Ko@daaab
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, SKILL.md, and the included Python script are coherent: they implement SwitchBot Cloud API calls to list devices, read status, and send commands. No unrelated services, binaries, or credentials are requested.
Instruction Scope
Runtime instructions stay within the expected scope: they ask the human to obtain a SwitchBot token/secret, store them in ~/.config/switchbot/credentials.json, run the included script for discovery and control, and optionally record device IDs in TOOLS.md. Note: instructing the user to add device IDs to TOOLS.md may store device identifiers in agent tooling/docs — this is expected for convenience but is a potential privacy consideration.
Install Mechanism
There is no install spec; this is an instruction-only skill with a bundled Python script that uses only standard-library modules. Nothing is downloaded or extracted from untrusted URLs.
Credentials
The skill asks the user to place a token and secret in a local credentials file (reasonable and proportionate). One small inconsistency: the registry metadata shows no primary credential or required env vars even though credentials are required via the config file; this is a metadata omission rather than a security red flag. Protecting the credentials file (chmod 600) as instructed is important.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges or modify other skills. The skill can be invoked autonomously by the agent (platform default), which is normal; no elevated persistence is requested.
Assessment
This skill appears to do what it says, but review and follow these precautions before use: - Verify origin/trust: source is 'unknown' — only install/run if you trust the publisher or after you inspect the code (you have the script here). - Protect credentials: follow the SKILL.md advice (store token/secret in ~/.config/switchbot/credentials.json with chmod 600). Do not paste the token/secret into chat or public logs. - Consider secrets management: if you prefer, store credentials in a local secret manager and modify the script to read them securely instead of a file. - Limit exposure: run the script on a machine/network you control; it's benign but it can send commands to your devices. - Device ID privacy: updating TOOLS.md with device IDs is convenient but leaks device identifiers to your agent/tooling — avoid putting secrets or sensitive location info in that file. - Test safely: test with a non-critical device first (e.g., a light) to confirm expected behavior. - Rotate keys if compromised: if you accidentally expose the token/secret, rotate them via the SwitchBot app/dev settings. If you want a higher assurance level, request an auditable provenance (who published the skill) or run the script in an isolated environment before granting the skill regular use.

Like a lobster shell, security has layers — review code before you run it.

latestvk9798jcwwcnk2rmvwtttxjxe6h80kv19

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments