v1.0.0

Philips Hue Thinking Indicator

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:14 AM.

Analysis

The skill mostly matches its Hue-light indicator purpose, but the core `hue` executable is missing and points to placeholder or unknown sources, so users would need to trust unreviewed code to install it.

GuidanceReview this carefully before installing. The intended Hue-light behavior is clear, but the reviewed artifact set does not include the actual `hue` command that would control your lights. Verify the real source and contents of that executable, protect the Hue API key in the local config file, and test on a non-critical light first.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

package.json

"homepage": "https://github.com/yourusername/philips-hue-thinking", ... "bin": { "hue": "./hue" }, ... "files": [ "hue", "SKILL.md", "README.md", "LICENSE" ]

The package declares a central `hue` executable and placeholder repository metadata, but the provided manifest does not include the `hue` binary. The user would have to obtain the device-controlling executable from an unverified or placeholder source.

User impactInstalling this skill as documented could lead you to run a `hue` program that was not included in the reviewed artifacts.

RecommendationDo not copy or run an external `hue` executable until you verify the real repository, author, and script contents. Prefer a package that includes the reviewed executable or a pinned, trustworthy install source.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

README.md

The assistant will automatically use `hue thinking` and `hue done` during long tasks.

The skill intentionally lets the agent invoke commands that change Philips Hue lights. This is aligned with the stated purpose, but it is still physical device control.

User impactYour assistant may change selected lights while it works, including pulsing them red or setting them green.

RecommendationChoose a non-critical light ID, verify commands manually first, and avoid using this with lights where unexpected changes could cause problems.

Rogue Agents

SeverityLowConfidenceHighStatusNote

SKILL.md

Background process keeps pulsing ... `pkill -f "hue-pulse-loop"`

The pulse effect is implemented as a background process that may keep running until explicitly stopped. This is documented and purpose-aligned, but it is persistent behavior.

User impactA light may keep pulsing after the original task unless the process is stopped or the light is reset.

RecommendationKnow how to stop the pulse process before relying on the skill, and use `hue done <light-id>` or the documented `pkill` command if it gets stuck.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

Config stored in: `~/.config/philips-hue/config.json` ... "username": "your-api-key"

The skill documents storing a Hue bridge API username/key locally. This credential is expected for Hue Bridge access and no artifact shows it being exfiltrated.

User impactAnyone or any process that can read and use this config may be able to control your Hue lights through the bridge.

RecommendationKeep the config file private, avoid sharing logs or screenshots containing the API key, and revoke/regenerate the Hue username if it is exposed.