ClawHub

Beestat

v0.1.0

Query ecobee thermostat data via Beestat API including temperature, humidity, air quality (CO2, VOC), sensors, and HVAC runtime. Use when user asks about home temperature, thermostat status, air quality, or heating/cooling usage.

1· 1.9k·1 current·1 all-time
byMatt Russell@mjrussell
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes a CLI that queries Beestat/ecobee data and requires the beestat CLI plus BEESTAT_API_KEY — this is coherent with the stated purpose. HOWEVER the registry metadata shown to the scanner lists no required binaries or env vars while the SKILL.md metadata declares bins:["beestat"] and env:["BEESTAT_API_KEY"]. That mismatch is an inconsistency in the package metadata that should be resolved.
Instruction Scope
The instructions are narrowly scoped: they tell the user to install an npm package, obtain an API key from beestat.io, set BEESTAT_API_KEY, and run CLI commands to fetch thermostat, sensor, and air-quality data. There are no instructions to read unrelated local files or exfiltrate data outside the Beestat API.
Install Mechanism
This is an instruction-only skill that advises running `npm install -g beestat-cli`. Installing a global npm package is a common delivery method but has moderate supply-chain risk (npm package integrity, publisher identity, post-install hooks). The registry contains no automated install spec — the install step is manual and therefore under the user's control, but you should verify the npm package and publisher before installing.
Credentials
Requesting a single BEESTAT_API_KEY is proportionate to a service that calls the Beestat API. The concern is the metadata inconsistency: the public registry/skill summary claims no required env vars while the SKILL.md requires BEESTAT_API_KEY. Ensure the agent/platform will not demand broader credentials and confirm the key's intended scope before providing it.
Persistence & Privilege
The skill does not request 'always: true' and does not declare persistence or system-wide configuration changes. It is user-invocable and may be invoked autonomously per platform defaults, which is expected for skills and is not by itself a red flag.
What to consider before installing
Before installing or enabling this skill: (1) resolve the metadata mismatch — confirm whether the skill actually requires the beestat CLI and BEESTAT_API_KEY, (2) verify the npm package publisher and inspect the package (or run in a sandbox) before performing a global `npm install -g`, (3) obtain an API key with the minimum scope possible and be ready to revoke it if anything looks suspicious, (4) confirm the contact email and homepage (beestat.io) are legitimate, and (5) if you allow the agent to invoke skills autonomously, be aware that this skill will have network access to the Beestat API when invoked. If you need higher assurance, ask the skill author for source code or a signed release link (GitHub release) rather than installing an opaque npm package.

Like a lobster shell, security has layers — review code before you run it.

latestvk977z8rxgehsqahjz3nsf261517yvtyn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌡️ Clawdis
Binsbeestat
EnvBEESTAT_API_KEY

Comments