Alexa
PassAudited by ClawScan on May 1, 2026.
Overview
This is an instruction-only Alexa reference with no code or credential requirements, though some examples involve high-impact smart-home actions that users should confirm before following.
This appears safe as an Alexa reference skill. Before following advice, be careful with commands that open physical access points, make calls or messages, delete/reset devices, change network settings, or handle OAuth tokens in custom skill development.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could be guided to perform physical smart-home actions such as opening a garage door.
The reference includes a physical-access smart-home command. This is aligned with Alexa guidance, but it is high-impact if a user follows it unintentionally.
"Open the garage door" | Garage controller
Keep physical-access commands user-confirmed and avoid using them as automatic suggestions.
A broad reset could remove device integrations or require reconfiguring the user's smart home.
The troubleshooting procedure can affect many devices and integrations at once. It is disclosed as a reset procedure, but following it could be disruptive.
Disable and remove all smart home skills ... Delete all devices from Alexa app ... Factory reset devices if needed
Use these reset steps only after simpler troubleshooting and with a clear understanding of what will need to be re-added.
If a user implements the example concepts, account tokens could grant access to linked services.
The development guide discusses OAuth access tokens for custom Alexa skills. The reviewed skill does not request or use tokens, but users building skills should treat this data as sensitive.
Access token available in `handlerInput.requestEnvelope.context.System.user.accessToken`
Use least-privilege OAuth scopes, do not log access tokens, and protect any account-linking implementation.