Alexa
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: alexa Version: 1.0.0 This skill bundle consists entirely of informational markdown files and standard metadata. The content provides comprehensive documentation on using and developing for Alexa, including device control, routines, smart home setup, and skill development. While `development.md` contains JavaScript code snippets, these are illustrative examples for building *other* Alexa skills and are not executed by the OpenClaw agent as part of *this* skill bundle. There is no evidence of prompt injection attempts, malicious code execution, data exfiltration, persistence mechanisms, or any other harmful behavior. The content is purely educational and aligned with its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could be guided to perform physical smart-home actions such as opening a garage door.
The reference includes a physical-access smart-home command. This is aligned with Alexa guidance, but it is high-impact if a user follows it unintentionally.
"Open the garage door" | Garage controller
Keep physical-access commands user-confirmed and avoid using them as automatic suggestions.
A broad reset could remove device integrations or require reconfiguring the user's smart home.
The troubleshooting procedure can affect many devices and integrations at once. It is disclosed as a reset procedure, but following it could be disruptive.
Disable and remove all smart home skills ... Delete all devices from Alexa app ... Factory reset devices if needed
Use these reset steps only after simpler troubleshooting and with a clear understanding of what will need to be re-added.
If a user implements the example concepts, account tokens could grant access to linked services.
The development guide discusses OAuth access tokens for custom Alexa skills. The reviewed skill does not request or use tokens, but users building skills should treat this data as sensitive.
Access token available in `handlerInput.requestEnvelope.context.System.user.accessToken`
Use least-privilege OAuth scopes, do not log access tokens, and protect any account-linking implementation.