Anova Oven
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill appears to control Anova devices as advertised, but it can remotely start a real heating appliance using a stored account token without strong approval, device-selection, or timeout safeguards shown.
Only install this if you are comfortable letting an agent control a physical heating appliance. Before using it, protect the Anova token, verify the selected device, and require manual confirmation plus a clear time/probe limit for every cook or preheat command.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could remotely turn on or continue running a real oven/cooker if a request is misinterpreted, lacks a duration, or targets the wrong default device.
The visible code can issue an automatic oven-start command, and it only adds a timer when a duration is supplied. For a physical heating appliance, this needs stronger confirmation and fail-closed safety bounds.
"userActionRequired": False ... "stageTransitionType": "automatic" ... elif duration: cook_stage["timer"] = {"initial": duration * 60} ... "command": "CMD_APO_START"Require explicit user confirmation before any start command, require device selection when multiple devices exist, enforce safe temperature and duration limits, and reject cook/preheat commands without a timer or probe endpoint.
Anyone or any process that obtains the token may be able to access or control the user's Anova devices.
The skill requires a persistent Anova account token that can access and control paired devices. This is purpose-aligned, but it is sensitive and not declared in the registry credential fields.
**Personal Access Token** from Anova app ... Create token ... Store in `~/.config/anova/token`
Store the token with restrictive permissions, revoke it if no longer needed, and ensure the registry metadata clearly declares the required credential and config path.
A future dependency version could change behavior or introduce vulnerabilities.
The skill depends on a third-party Python package with an unpinned lower-bound version. This is common and purpose-aligned, but future dependency changes are not constrained.
websockets>=10.0
Pin dependency versions or provide a lockfile/hashes for reproducible installation.