LG ThinQ
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its LG appliance-control purpose, but it deserves review because it uses a local ThinQ account token and includes an under-documented raw command that could send broad device-control requests.
Install only if you trust this source and are comfortable giving the agent ThinQ appliance-control access. Secure the token file, verify the thinqconnect dependency before installing, and avoid or disable the raw command unless you can review and approve the exact payload.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent or user could send broader appliance-control requests than the skill description suggests, potentially changing physical device behavior without the same guardrails as the documented commands.
The script exposes a generic raw device-control command that can pass arbitrary payloads to the ThinQ control API, while SKILL.md documents only specific temperature and mode commands.
print(" raw <device> <json> Send raw command") ... return await api.async_post_device_control(device_id, payload)Remove the raw command, or require explicit user confirmation plus allowlisted schemas, model-specific validation, and clear documentation before any raw control request is sent.
Anyone or any process that can read this token file may be able to access or control the linked LG appliances through the API.
The skill requires a ThinQ Personal Access Token stored in a local file, which is expected for the service but grants access to the user's appliance account.
Get a Personal Access Token from https://connect-pat.lgthinq.com ... Store token: `echo "YOUR_TOKEN" > ~/.config/lg-thinq/token`
Use a least-privileged token if LG supports it, restrict file permissions, and revoke the token if the device or account is no longer used.
Installing an unpinned dependency can introduce supply-chain risk if the package source or version is not verified.
The runtime depends on an external Python package, but the artifact has no install spec or version pin; the install is user-directed rather than automatic.
from thinqconnect.thinq_api import ThinQApi ... print("❌ thinqconnect not installed. Run: pip install thinqconnect")Document the dependency in an install spec, pin a known-good version, and install only from a trusted package source.
The cache may reveal private information about the user's home appliances to local users or processes with file access.
The skill caches the user's appliance list locally, including device identifiers and metadata.
DEVICES_CACHE = CONFIG_DIR / "devices.json" ... DEVICES_CACHE.write_text(json.dumps(devices, indent=2))
Store the cache with restrictive permissions, avoid sharing it, and delete it when no longer needed.