Google Home/Nest
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s stated Nest-control purpose is understandable, but it asks for sensitive Google device access while referencing missing helper commands and a global symlink that cannot be reviewed from the provided artifacts.
Review this skill before installing. The Google Nest access itself is expected, but the package is incomplete: it references helper commands that are not present and suggests a global symlink. Only use it if you are comfortable managing Google OAuth tokens yourself, and do not run or link any helper script unless its contents are provided and trustworthy.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could be led to trust or globally install a missing/unreviewed helper for smart-home control, potentially overwriting an existing `nest` command or running code whose provenance is not shown.
The provided artifact set contains only SKILL.md, so the referenced helper is not available for review, and the setup command would force-link it into a global executable path.
A `nest` CLI helper is included at `scripts/nest` ... `ln -sf /Users/mitchellbernstein/clawd/skills/google-home/scripts/nest /usr/local/bin/nest`
Do not install or link the helper unless the actual script is provided and reviewed; avoid `ln -sf` into `/usr/local/bin`, and declare all helper binaries and install steps in the package metadata.
Anyone or any agent with these tokens may be able to list or control Nest devices and access camera-related functions allowed by the Google account permissions.
The skill requires Google OAuth credentials and tokens for Nest device access, which is expected for this integration but sensitive and not declared in the registry metadata.
export GOOGLE_HOME_CLIENT_SECRET="your-client-secret" export GOOGLE_HOME_ACCESS_TOKEN="your-access-token"
Use the least-privileged Google OAuth scopes available, keep tokens out of shared logs or prompts, store them securely, and revoke them if the skill is no longer used.
Mistaken or unintended invocation could change thermostat/fan/speaker behavior or expose camera imagery or stream URLs.
The documented capabilities can change physical device state and retrieve camera data. This is purpose-aligned, but users should notice the impact before allowing an agent to run these commands.
`--temp <degrees>` — set target temperature ... `--snapshot` — download current image ... `--stream` — start live stream URL
Require explicit user confirmation before changing device state or accessing cameras, and verify the exact device ID/name before each command.