Back to skill
Skillv1.0.0
ClawScan security
Tuya Smart · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 8:27 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions align with its claimed Tuya IoT control purpose — it asks only for Tuya project credentials and common CLI tools, and stores operational notes in a local ~/tuya workspace (do not paste secrets into chat).
- Guidance
- This skill appears coherent and uses only Tuya credentials and standard CLI tools, but before installing: ensure you trust the skill source (homepage/source unknown), set TUYA_ACCESS_ID and TUYA_ACCESS_SECRET as environment variables rather than pasting secrets into chat, use least-privilege/rotatable credentials, confirm you are comfortable with the skill creating ~/tuya (inspect its contents and permissions), and rotate or revoke keys if you stop using the skill.
Review Dimensions
- Purpose & Capability
- okName/description, required env vars (TUYA_ACCESS_ID, TUYA_ACCESS_SECRET), and required binaries (curl, jq, openssl) match the documented need to sign HMAC requests, call Tuya OpenAPI endpoints, and process JSON responses. Nothing requested appears extraneous to Tuya cloud integration and device control.
- Instruction Scope
- noteInstructions are focused on Tuya API auth, signature construction, device discovery, read-before-write control loops, and safe rollout playbooks. The skill directs creation of a local workspace at ~/tuya for notes and short-lived token caching; the docs explicitly advise not to store raw secrets. This behavior is coherent for an integration skill but users should verify local files and token caching policies before use.
- Install Mechanism
- okInstruction-only skill with no install spec or third-party downloads; lowest install risk. It relies on standard CLI utilities (curl, jq, openssl) already expected on target systems.
- Credentials
- okOnly TUYA_ACCESS_ID and TUYA_ACCESS_SECRET are required and the primary credential is the access secret — this is proportionate and necessary for Tuya OpenAPI signing. No unrelated secrets or multiple external credentials are requested.
- Persistence & Privilege
- okalways:false and normal autonomous invocation allowed. The skill writes/uses its own workspace under the user's home (~ /tuya) and does not request elevated OS-wide privileges or modify other skills. The storage and file-permission recommendations (chmod 700/600) are reasonable.