ClawHub

Openclaw Skill Tado

v1.0.5

Interact with Tado smart thermostat. Use for reading temperature, setting heating with auto-revert, viewing energy usage, and controlling zones.

0· 121·0 current·0 all-time
byDave K@davek-dev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (Tado thermostat control) align with the actual instructions: OAuth device flow, token refresh, reading zones, setting overlays, and energy usage — all are expected for a Tado API client.
Instruction Scope
SKILL.md stays on-topic and only describes Tado API interactions. It instructs use of environment variables (TADO_TOKEN, TADO_REFRESH_TOKEN, TADO_HOME_ID) and shows the OAuth device flow. It also includes a Python script that uses requests; the registry metadata did not declare these env vars or the Python dependency, so the documentation and registry metadata are not fully synchronized.
Install Mechanism
There is no install spec and no code files beyond SKILL.md, so nothing will be downloaded or installed by the platform. This reduces attack surface. The only runtime action would be commands the agent runs following the instructions.
Credentials
Requested secrets (access token, refresh token, home id) are appropriate for controlling a Tado account. However, the registry lists no required env vars while SKILL.md explicitly tells users to store tokens in environment variables. Also note a refresh token provides long-lived access and should be stored and handled securely.
Persistence & Privilege
The skill does not request always:true, does not include install scripts, and does not attempt to modify other skills or global agent settings. It is user-invocable and allows normal autonomous invocation (platform default).
Assessment
This skill appears to be what it says: Tado API instructions for reading and controlling zones. Before installing, consider: (1) the skill source is unknown—only install if you trust it; (2) you will need to perform an OAuth device flow and store access/refresh tokens (the README mentions env vars but the registry metadata doesn't declare them); (3) the provided Python script requires the 'requests' package—ensure your environment has needed runtime dependencies; (4) treat the refresh token as sensitive (revokable) and revoke it if you stop using the skill; (5) because the skill is instruction-only, the platform won't install code, but an agent following the SKILL.md could run curl/python commands that use those tokens—only grant access if you trust the agent and the skill's author.

Like a lobster shell, security has layers — review code before you run it.

latestvk9729g90h2a61x93c5tpcwx7eh835kdy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments