Shelly
PassAudited by ClawScan on May 1, 2026.
Overview
Shelly is a coherent IoT-control skill with clearly disclosed device-control, cloud-token, and local-memory behavior, plus safety gates for writes.
Before installing, confirm whether you want this skill to control devices or only inspect status, set strict approval rules for power/heating/security/batch actions, and keep the Shelly cloud token and ~/shelly/ notes protected.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If misused or approved too broadly, the agent could change power, heating, security, or multiple-device states.
The skill can perform high-impact physical device writes, but the artifact explicitly requires confirmation before those actions.
Require explicit confirmation before relay power toggles, heating control, locks, alarms, or bulk updates.
Use read-only mode first, approve writes only for clearly identified devices, and keep canary and verification steps enabled.
A cloud token may allow remote access to Shelly devices tied to the account.
The skill uses a Shelly cloud token for account-scoped cloud operations, and the artifact gives appropriate handling guidance.
Use `SHELLY_CLOUD_TOKEN` only from environment variables. Do not store raw token values in `~/shelly/` notes.
Use the least-privileged token available, keep it in the environment rather than chat or notes, and rotate it if exposure is suspected.
Local notes may reveal smart-device layout or cause future automations to rely on stale or incorrect context.
The skill keeps persistent local memory containing network, device, and automation context that can influence future actions.
Create `~/shelly/memory.md` ... Local segments and reachability assumptions ... Device groups and critical devices ... Automation Constraints
Review ~/shelly/ periodically, avoid storing secrets, keep file permissions restrictive, and remove outdated device or automation entries.