Ecovacs Mcp
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled, the assistant can start, pause, stop, or dock the robot vacuum when it interprets a relevant user request.
The skill exposes tools that can change the state of a physical robot vacuum. This matches the skill's purpose, but users should notice that the assistant may issue real device commands.
`start_cleaning` ... `act` `s` Start cleaning ... `act` `h` Stop cleaning; `control_recharging` ... `go-start` Return to charging dock
Enable only for an account and robot you want the assistant to control; consider requiring explicit confirmation before start/stop/dock actions.
Anyone with access to the configured API key may be able to interact with the user's Ecovacs account or robot through the MCP server.
The skill requires an Ecovacs API key tied to the user's account and account-bound robot devices. This is expected for the integration and no artifact shows credential logging or unrelated use.
**API Key** (`ECO_API_KEY`) from [open.ecovacs.com](https://open.ecovacs.com)
Store the API key securely, use the least-privileged key available from Ecovacs, and rotate it if it is exposed.
The actual runtime behavior depends on the external ecovacs-robot-mcp package installed at configuration time.
The documented setup runs an external Python package that is not included in these artifacts and is not version-pinned in the shown MCP configuration. This is normal for an MCP wrapper, but users depend on that package's provenance.
"command": "uvx", "args": ["--from", "ecovacs-robot-mcp", "python", "-m", "ecovacs_robot_mcp"]
Verify the package source before use and pin a trusted version if your MCP configuration supports it.