ClawHub

Anova Oven

v0.1.0

Control Anova Precision Ovens and Precision Cookers (sous vide) via WiFi WebSocket API. Start cooking modes (sous vide, roasting, steam), set temperatures, monitor status, and stop cooking remotely.

1· 1.6k·2 current·2 all-time
byAkshay Dodeja@dodeja
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (Anova oven control) align with requested artifacts: instructions ask for an Anova personal access token and the code connects to devices.anovaculinary.io over WebSocket. No unrelated cloud providers, binaries, or credentials are requested.
Instruction Scope
SKILL.md stays on scope: it instructs installing the websockets Python library, storing a personal access token at ~/.config/anova/token, and running the included script to list/start/stop/monitor devices. The instructions do not direct reading unrelated files, nor do they instruct exfiltrating local data to third parties.
Install Mechanism
No install spec; the skill is instruction + Python script. Dependencies are minimal (websockets). Nothing is downloaded from untrusted URLs or written to system-wide locations by an installer.
Credentials
No environment variables or unrelated credentials are requested. The skill uses a local token file (~/.config/anova/token) which is appropriate for the API authentication described. The only network target is the Anova cloud WebSocket endpoint.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide configuration or modify other skills. It runs as a user-invoked script and only reads the stated token file.
Scan Findings in Context
[none-detected] expected: The static pre-scan reported no injection signals. That is consistent with the visible code, which is plain Python implementing WebSocket interactions with the Anova cloud. Absence of findings is not proof of safety but matches the observed simple footprint.
Assessment
This skill appears to do what it says: control Anova devices over the Anova cloud WebSocket API. Before installing or running it: (1) review the full scripts/anova.py file yourself (the provided listing was truncated here) to confirm there is no hidden behavior; (2) keep your personal access token secret and store it with restricted permissions (chmod 600) as instructed; (3) be aware the token is sent in the WebSocket URI (it may be exposed in logs or proxy logs), so avoid using a token you wouldn't revoke if leaked; (4) run the script in a minimal, network-limited environment if you have concerns; (5) if you stop using the skill, revoke the personal access token from the Anova app. If you want higher assurance, provide the full untruncated scripts/anova.py for a final review and I can raise confidence to high.

Like a lobster shell, security has layers — review code before you run it.

latestvk978k3qgtje20vwfgv1nw8b79s7zthjm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments