ClawHub

Netatmo

v1.0.1

Control Netatmo thermostat and read weather station data. Use for heating control (set temperature, change mode), checking indoor/outdoor temperatures, CO₂ levels, humidity, noise, and pressure readings.

1· 1.9k·0 current·0 all-time
byFlorian Beer@florianbeer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The stated purpose (control Netatmo devices and read sensors) aligns with the SKILL.md commands (uses a `netatmo` CLI and standard Netatmo operations). However the skill metadata declares no required binaries or credentials even though the instructions require a local `netatmo` CLI and credentials files under ~/.config/netatmo/. The capability is plausible but the skill should explicitly declare these dependencies.
!
Instruction Scope
SKILL.md tells the agent to use `netatmo` CLI and to read/write credentials in ~/.config/netatmo/ (credentials.json with client_id/client_secret and tokens.json with OAuth tokens). Those files are sensitive (contain client secrets and access/refresh tokens). The skill does not declare that it will read those files, nor does it constrain or explain how tokens are handled. While reading those files is required to operate, the omission is a scope/transparency problem.
Install Mechanism
This is an instruction-only skill with no install spec or code to write to disk, which reduces install-side risk. The tradeoff is that it implicitly relies on an external binary (`netatmo`) being present — that dependency is not declared.
!
Credentials
No environment variables or primary credential are declared in the skill metadata, yet the runtime instructions require access to user-local credential files (~/.config/netatmo/credentials.json and tokens.json). Those files contain secrets (client_id/client_secret and OAuth tokens). The requested access is proportionate to Netatmo integration, but the omission in metadata is a transparency and least-privilege concern.
Persistence & Privilege
The skill does not request always:true or other elevated persistence; it is user-invocable and allowed to be invoked autonomously by default (platform normal). It does mention tokens auto-refreshing (which implies writing tokens.json), but there is no indication the skill modifies unrelated agent settings or other skills.
What to consider before installing
This skill appears to implement legitimate Netatmo operations, but it contains important omissions. Before installing: 1) Verify the skill's origin (owner is unknown) and prefer an official/verified source. 2) Confirm you have the `netatmo` CLI installed from an official release; the skill assumes that binary but doesn't declare it. 3) Inspect ~/.config/netatmo/credentials.json and tokens.json — they hold client_id/client_secret and OAuth tokens; only allow access if you trust the skill. 4) If you want to proceed, ask the author to update metadata to list the required binary and declare the config path(s) or to use environment variables so permissions are explicit. 5) Consider running the skill in an isolated account or VM, or deny agent access to your home config if you cannot verify the skill. If you cannot confirm provenance and trust, treat this as risky and avoid installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ce6byxwjvmwef2xyj3djzen7zxr29

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments