Dirigera Control (IKEA smart home)
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a coherent IKEA smart-home control skill, but it can change physical devices and stores a local hub token, so install it only if you intend to grant that control.
Install only if you want the agent to control IKEA smart-home devices. Protect the generated Dirigera token file, verify any Cloudflare tunnel is locked down, and require explicit confirmation for broad or safety-relevant actions such as turning off all outlets or triggering whole-home scenes.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly or too broadly, the agent could turn off outlets, change lighting, or trigger smart-home scenes the user did not intend.
The documented API can switch outlets and trigger scenes, which is the stated purpose but can affect physical devices in the home.
outlet.set_on(outlet_on=True/False) ... scene.trigger() # Activate scene
Use explicit device and room names, and consider asking for confirmation before broad actions such as all-outlet, all-light, or scene changes.
Anyone who can read the saved token file may be able to control the Dirigera hub and connected smart-home devices.
The wrapper writes the generated Dirigera access token to a local file; that token grants access to control the hub.
output_path.write_text(token + "\n")
Store the token in a private location with restrictive file permissions, avoid sharing logs or files containing it, and rotate/delete it if exposed.
Installing an unpinned package can pull in whatever version is current at install time, which may differ from what the skill author tested.
The skill relies on an external Python package installed by name without a pinned version or lockfile in the provided artifacts.
pip install dirigera
Install from the official package source, consider pinning a known-good version, and review package provenance before use.
A misconfigured tunnel could expose smart-home control beyond the intended user or environment.
The skill description indicates smart-home access may traverse a remote tunnel/gateway, but the artifacts do not define that tunnel’s access controls.
Accessible via Cloudflare tunnel on VPS.
Verify the Cloudflare tunnel is private, authenticated, and limited to the intended hub/API before using this skill remotely.
A process may continue briefly after the agent’s turn and then save a token file when the button is pressed.
The token-generation workflow starts a background process so it can wait for the physical hub button press; this is disclosed and bounded to setup.
python scripts/generate_token_wrapper.py <dirigera-ip-address> &
Run this only when you are ready to press the hub button, confirm it exits after setup, and remove any unwanted token files.