Tuya Smart Control
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to match its stated Tuya smart-home purpose, but it needs a powerful Tuya API key and can control devices, send notifications, monitor events, and access camera captures.
Install only if you want this agent to access and control your Tuya smart-home account. Protect TUYA_API_KEY, avoid overriding Tuya endpoints unless you trust the destination, and require clear approval for camera capture, notifications, and changes to physical device state.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent process with this key can potentially query and control the user’s authorized Tuya smart-home devices.
The skill clearly discloses that it uses a Tuya API key for account-backed REST and WebSocket access.
Credentials: Read from environment variable `TUYA_API_KEY`... The same `TUYA_API_KEY` is used for both the REST API and WebSocket message subscription.
Use a least-privileged Tuya key if available, keep the key out of logs and shared prompts, and revoke or rotate it if the skill is no longer needed.
A mistaken or overly broad command could change smart-home device behavior, send unwanted notifications, or initiate camera capture.
The documented commands can mutate device state, rename devices, send notifications, and request camera media; these are expected for the skill but high-impact.
python3 {baseDir}/scripts/tuya_api.py control <device_id> '{"switch_led":true}' ... rename <device_id> "New Name" ... sms "Your message" ... ipc_pic_fetch <device_id> <consent> ... ipc_video_fetch <device_id> <duration> <consent>Review device IDs and command parameters before running control, notification, rename, or camera-capture actions; require explicit user approval for camera and safety-sensitive device operations.
Real-time smart-home activity such as device state changes and online/offline status may be exposed to the agent process.
The WebSocket subscription can monitor real-time events for all devices unless the user narrows it to specific device IDs.
device_ids=None, # None = all devices; or pass a list of device IDs
Filter WebSocket subscriptions to only the devices needed for the task and avoid relaying event data to other systems unless the user has agreed.
If copied without care, an automation could repeatedly or incorrectly trigger device actions from sensor events.
The reference includes an event-driven automation pattern where a device event can trigger another device command and a notification.
api.issue_properties(ACTION_DEVICE_ID, ACTION_PROPERTIES) ... api.send_push("Automation Triggered", "Door opened — hallway light turned on.")Keep automations narrowly scoped, verify trigger/action device IDs, and use the documented throttling for notifications and repeated events.