Alexa
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could be guided to perform physical smart-home actions such as opening a garage door.
The reference includes a physical-access smart-home command. This is aligned with Alexa guidance, but it is high-impact if a user follows it unintentionally.
"Open the garage door" | Garage controller
Keep physical-access commands user-confirmed and avoid using them as automatic suggestions.
A broad reset could remove device integrations or require reconfiguring the user's smart home.
The troubleshooting procedure can affect many devices and integrations at once. It is disclosed as a reset procedure, but following it could be disruptive.
Disable and remove all smart home skills ... Delete all devices from Alexa app ... Factory reset devices if needed
Use these reset steps only after simpler troubleshooting and with a clear understanding of what will need to be re-added.
If a user implements the example concepts, account tokens could grant access to linked services.
The development guide discusses OAuth access tokens for custom Alexa skills. The reviewed skill does not request or use tokens, but users building skills should treat this data as sensitive.
Access token available in `handlerInput.requestEnvelope.context.System.user.accessToken`
Use least-privilege OAuth scopes, do not log access tokens, and protect any account-linking implementation.