Tuya Smart Control
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent process with this key can potentially query and control the user’s authorized Tuya smart-home devices.
The skill clearly discloses that it uses a Tuya API key for account-backed REST and WebSocket access.
Credentials: Read from environment variable `TUYA_API_KEY`... The same `TUYA_API_KEY` is used for both the REST API and WebSocket message subscription.
Use a least-privileged Tuya key if available, keep the key out of logs and shared prompts, and revoke or rotate it if the skill is no longer needed.
A mistaken or overly broad command could change smart-home device behavior, send unwanted notifications, or initiate camera capture.
The documented commands can mutate device state, rename devices, send notifications, and request camera media; these are expected for the skill but high-impact.
python3 {baseDir}/scripts/tuya_api.py control <device_id> '{"switch_led":true}' ... rename <device_id> "New Name" ... sms "Your message" ... ipc_pic_fetch <device_id> <consent> ... ipc_video_fetch <device_id> <duration> <consent>Review device IDs and command parameters before running control, notification, rename, or camera-capture actions; require explicit user approval for camera and safety-sensitive device operations.
Real-time smart-home activity such as device state changes and online/offline status may be exposed to the agent process.
The WebSocket subscription can monitor real-time events for all devices unless the user narrows it to specific device IDs.
device_ids=None, # None = all devices; or pass a list of device IDs
Filter WebSocket subscriptions to only the devices needed for the task and avoid relaying event data to other systems unless the user has agreed.
If copied without care, an automation could repeatedly or incorrectly trigger device actions from sensor events.
The reference includes an event-driven automation pattern where a device event can trigger another device command and a notification.
api.issue_properties(ACTION_DEVICE_ID, ACTION_PROPERTIES) ... api.send_push("Automation Triggered", "Door opened — hallway light turned on.")Keep automations narrowly scoped, verify trigger/action device IDs, and use the documented throttling for notifications and repeated events.