ClawHub

Govee Lights Control

v1.0.0

Control Govee smart lights to turn on/off, adjust brightness, set colors, and manage device states via the Govee API.

2· 2k·1 current·1 all-time
by@joeynyc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and the included script (scripts/govee.py) describe controlling Govee devices via the Govee API, which reasonably requires an API key. However, the registry metadata declares no required environment variables or primary credential. The lack of source/homepage and unknown origin also reduces accountability.
!
Instruction Scope
Runtime instructions are narrowly scoped to running the bundled Python script and setting GOVEE_API_KEY; they do not request unrelated files or system-wide access. But the SKILL.md references an environment variable (GOVEE_API_KEY) that is not declared in the skill's metadata, and the agent will be instructed to execute a local script (scripts/govee.py) whose behavior should be audited.
Install Mechanism
There is no install spec (no code downloaded at install time). The README suggests installing the single dependency 'requests' via pip. That is a low-risk install model, but note the skill bundles an executable Python script that will be run locally.
!
Credentials
SKILL.md requires GOVEE_API_KEY to call the Govee API, but the skill metadata does not declare any required environment variables or a primary credential. This mismatch is suspicious because it hides a credential requirement from the registry metadata and policy checks.
Persistence & Privilege
The skill does not set always:true (so it is not force-included), but it also does not set disable-model-invocation:true. That means the model could invoke the skill autonomously (default behavior). For a device-control skill, consider whether autonomous invocation is acceptable.
What to consider before installing
Before installing, inspect scripts/govee.py to confirm exactly what network calls and data it sends/receives (look for calls to external URLs, logging, or reading other env vars/files). Ask the publisher to update registry metadata to declare GOVEE_API_KEY as a required/primary credential and to provide a source URL or homepage (so you can verify provenance). If you want stricter control, require user-invocable-only or disable automatic model invocation. Run the script in a sandbox or review the code for any unexpected exfiltration of data (tokens, local files) before providing your Govee API key.

Like a lobster shell, security has layers — review code before you run it.

goveevk97bb473vqvcrv56j2x1wygb7x7zteffhome automationvk97bb473vqvcrv56j2x1wygb7x7ztefflatestvk97bb473vqvcrv56j2x1wygb7x7ztefflightsvk97bb473vqvcrv56j2x1wygb7x7zteff

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments