Tapo
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent smart-home control skill, but it handles sensitive credentials and can control devices or capture camera snapshots, so it should be installed only with secure MCP configuration.
Before installing, make sure you trust the Tapo MCP server and its container image, enable bearer-token authentication, protect `~/.mcporter/mcporter.json`, and only allow the agent to control devices or take camera snapshots when you explicitly want that.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly, the agent could turn devices on or off, change lights, or capture a camera image.
The skill intentionally exposes tools that can change physical smart-home device state and capture camera stills. This is aligned with the stated purpose, but it is sensitive functionality.
`control_device` | Control a device by applying one or more set capabilities. ... `take_snapshot` | Capture a still JPEG snapshot from a Tapo camera (~640x360).
Use this only with trusted agents and require clear user intent before controlling devices or taking snapshots.
Compromise or mishandling of these credentials could allow unauthorized access to Tapo devices or camera snapshots.
The referenced MCP server requires Tapo account credentials and may require separate camera credentials. These are expected for the integration but grant access to home devices and cameras.
`TAPO_MCP_USERNAME` | Yes | — | Tapo account email ... `TAPO_MCP_PASSWORD` | Yes | — | Tapo account password ... `TAPO_MCP_CAMERA_PASSWORD` | No | — | Camera account password
Store credentials as secrets, enable a strong MCP bearer token, restrict local config file permissions, and rotate credentials if exposed.
If the MCP server is reachable without authentication, other local clients or agents could potentially invoke device-control or camera tools.
The MCP server is an HTTP tool endpoint for home devices. Authentication is supported and recommended, but the server can run without it if the API key is omitted.
When `TAPO_MCP_API_KEY` is set, the server requires all HTTP requests to include an `Authorization: Bearer <key>` header. ... When the variable is unset ... the server runs without authentication.
Always set `TAPO_MCP_API_KEY`, keep the server bound to a trusted interface, and avoid exposing it beyond the trusted local network.
A changed or compromised upstream image could affect code that handles Tapo credentials and device control.
The setup guide uses a floating `latest` container image for the external MCP server. This is a user-directed, purpose-aligned dependency, but the exact code version can change over time.
ghcr.io/mihai-dinculescu/tapo-mcp:latest
Pin the MCP server image to a reviewed version or digest and monitor the upstream project before providing credentials.