Homey
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s behavior matches its stated Homey smart-home control purpose, but it gives an agent real control over devices and uses Homey tokens.
Install this only if you want an agent to read and control your Homey smart-home devices. Be especially careful with locks, thermostats, security devices, and flows; require confirmation for those actions and keep Homey tokens private.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent misunderstands a request or is given an unsafe instruction, it could change physical device states such as locks, lights, thermostats, or automations.
The skill can issue real smart-home control commands, including unlocking a door, which is high-impact but consistent with the documented Homey-control purpose.
homeycli device "Front Door" set locked false
Use this skill only with trusted agents, require explicit confirmation for locks/security/thermostat changes, and prefer exact device IDs for high-impact actions.
Anyone with access to the stored token or config may be able to control or view Homey devices within that token’s permissions.
The skill uses Homey local/cloud tokens and may store them in a local config file; this is expected for the integration and disclosed in the docs.
"local": { "address": "http://192.168.1.50", "token": "LOCAL_API_KEY" },
"cloud": { "token": "CLOUD_TOKEN" }Store tokens securely, avoid sharing ~/.homey/config.json, use the least-privileged token available, and revoke/rotate tokens if exposed.
Running release/developer scripts from an untrusted source could execute local shell commands.
A static scan found shell command execution in a release script. The provided user-facing setup and runtime commands do not show this script being automatically executed.
return execSync(cmd, { stdio: 'pipe', encoding: 'utf8', ...opts }).trim();Normal users should not run release scripts; review package scripts and source before running developer or publishing commands.