Google Home/Nest
v1.0.0Control Google Nest thermostats, cameras, and doorbells via Google Smart Device Management API using curl and jq commands.
⭐ 1· 2.5k·8 current·8 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose (control Google Nest via SDM API) matches the API calls and OAuth flow described in SKILL.md. However the skill references a CLI (google-home-cli / nest) and helper scripts that are not included, and the registry metadata does not declare required environment variables present in the instructions — these omissions make the capability incomplete.
Instruction Scope
Instructions direct the user/agent to create OAuth credentials, refresh tokens, and to store tokens in env vars or ~/.config; they also instruct creating a symlink from an absolute path in another user's home (/Users/mitchellbernstein/...) into /usr/local/bin. The SKILL.md references reading/writing ~/.config and creating system-level symlinks but no code files are provided. There are inconsistent variable names (examples use GOOGLE_HOME_ACCESS_TOKEN vs later examples using $ACCESS_TOKEN). These gaps give the agent broad undefined discretion and could lead to executing or linking unknown files.
Install Mechanism
There is no install spec (instruction-only), which minimizes automatic installation risk. However SKILL.md instructs manual linking of a helper script located at a hard-coded local path that will not exist for most users — this is misleading and could prompt unsafe manual actions (writing to /usr/local/bin).
Credentials
The SKILL.md expects client_id, client_secret, refresh_token/access_token to interact with Google's SDM API, which is appropriate for the task. But the registry lists no required env vars or primary credential, and the SKILL.md uses inconsistent names (GOOGLE_HOME_ACCESS_TOKEN vs $ACCESS_TOKEN). The instructions ask for high-value secrets (OAuth tokens) without providing secure handling details or declaring them in the skill metadata — this mismatch is concerning.
Persistence & Privilege
The skill does not request always:true and is not asking for elevated platform privileges. It does instruct creating a config file in the user's home (~/.config/google-home/config.json) and suggests installing a helper into /usr/local/bin; these are normal for a CLI but should only be done with source code you trust. No evidence the skill modifies other skills or system-wide agent configs.
Scan Findings in Context
[no_code_files] expected: The scanner found no code files to analyze because this is an instruction-only skill (SKILL.md). That explains the lack of regex findings, but also means the runtime behavior depends entirely on external actions and missing scripts referenced in the instructions.
What to consider before installing
Do not install or run commands from this skill as-is. Specific things to check before using: 1) Ask the author for the actual CLI implementation or an install source — none of the referenced commands (google-home-cli, scripts/nest) are included. 2) Verify where helper scripts come from; never symlink or run files from paths you don't control (the SKILL.md shows a hard-coded path belonging to another user). 3) Be cautious with OAuth secrets — only provide client_id/secret/refresh_token to trusted software and ensure correct env var names; the SKILL.md is inconsistent about variable names. 4) Prefer official Google client libraries or documented SDK examples for the SDM API rather than ad-hoc scripts. 5) Ask the publisher to update registry metadata to declare required env vars and included binaries, and to remove/replace any hard-coded absolute paths. If the publisher cannot provide code or a trustworthy install source, treat the skill as incomplete/untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk973vykh7h2afvjr60j896wxys7ztkzz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.