Homey - Home Automation
ReviewAudited by ClawScan on May 10, 2026.
Overview
This Homey skill is purpose-aligned, but it would control real smart-home devices and trigger flows through unreviewed CLI files that are not included in the package.
Install only if you trust the missing CLI implementation. Before use, verify the referenced run.sh/package files, protect the Homey token directory, and require confirmation before any device change or flow trigger.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could change real device states or trigger automations with wider side effects than the user intended.
The skill exposes commands that mutate smart-home devices and trigger Homey flows, but the artifacts do not show a confirmation requirement, flow allowlist, device allowlist, or rollback/containment model.
bash run.sh devices on <deviceId> ... bash run.sh devices off <deviceId> ... bash run.sh flows trigger <flowId>
Require explicit user confirmation for every write or flow trigger, restrict allowed devices/flows/capabilities, and show the exact target and expected effect before execution.
A user would be asked to run unreviewed or missing local code before granting Homey account access.
The provided manifest contains only SKILL.md and no install spec or code files, yet the instructions refer to npm dependencies and a run.sh helper. This leaves the actual CLI implementation and safety claims unverifiable from the submitted artifacts.
cd skills/homey-cli npm install ... bash run.sh auth login
Include the referenced package files, lockfile, and run.sh in the reviewed artifact set, or remove the executable setup instructions until the implementation can be verified.
Anyone with access to the token files may be able to control or inspect the user's Homey environment.
Homey OAuth credentials and stored tokens are expected for this integration, but they provide ongoing access to the user's Homey account and devices.
export HOMEY_CLIENT_ID="your-client-id" export HOMEY_CLIENT_SECRET="your-client-secret" ... Tokens are stored in `~/.config/homey-cli/`.
Declare the credential requirements in metadata, protect the token directory, and revoke the Homey app credentials if the skill is removed or no longer trusted.
Users may over-trust the safety label and allow actions that are broader than simple device toggles.
The skill emphasizes safety and allowlisting, but the artifacts do not show code proving the allowlist, and flow triggering is presented as available despite flows potentially causing broad side effects.
Safe, capability-allowlisted operations only. ... Flow Operations ... bash run.sh flows trigger <flowId>
Document the exact safety boundaries, especially for flows, and avoid claiming allowlisted safety unless the reviewed implementation enforces it.