Skillv1.0.0

ClawScan security

Управление устройствами умного дома Яндекса (Алиса) через официальный IoT API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 10:06 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's runtime instructions match its stated purpose (controlling Yandex Smart Home) but the published metadata omits the declared required environment variable and binary, which is an incoherence you should resolve before installing.
Guidance: This skill appears to do what it says (control Yandex smart-home devices), but the package metadata does not declare the runtime requirements that appear in SKILL.md. Before installing: (1) verify the skill's author/source (source is listed as unknown); (2) confirm you are comfortable supplying a YANDEX_IOT_TOKEN (it grants control rights to your devices) and consider using a token with the minimal scopes and limited lifetime; (3) ensure the platform or environment storing the token is secure and that the skill's metadata is updated to declare YANDEX_IOT_TOKEN and curl; (4) prefer granting the skill access only after testing read-only operations (e.g., GET /user/info) and review logs of any actions it performs. If the owner cannot explain the metadata mismatch or provide a trustworthy source, treat the skill cautiously or avoid installing it.

Review Dimensions

Purpose & Capability: okThe SKILL.md behavior (calling https://api.iot.yandex.net endpoints to list devices, read state, send actions, run scenarios) aligns with the skill name and description — this is what a Yandex IoT integration would need.
Instruction Scope: okInstructions are narrowly scoped to calling Yandex IoT endpoints using curl and require a YANDEX_IOT_TOKEN; they do not instruct reading unrelated files or exfiltrating data to third-party endpoints. Commands and request/response handling are explicit (GET /user/info, POST /devices/actions, etc.).
Install Mechanism: okThere is no install spec and no code files (instruction-only). That minimizes on-disk risk; nothing is downloaded or installed by the skill itself.
Credentials: concernThe SKILL.md explicitly requires YANDEX_IOT_TOKEN (OAuth token with iot:view and iot:control) and the curl utility, but the registry metadata lists no required env vars or binaries — this metadata omission is an inconsistency. Requesting a single Yandex OAuth token is proportionate for the described functionality, but the missing metadata is concerning because users could install without realizing a credential is required.
Persistence & Privilege: okThe skill is not marked always:true and does not request system-wide config or modify other skills. Autonomous invocation is allowed (platform default) — combined with access to a control token this enables executing device actions, which is expected for this integration.