Beestat
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user who installs the skill will need to trust the npm package that provides the beestat command.
The skill depends on a globally installed external npm package whose implementation is not included or pinned in the provided artifacts; this is expected for the CLI purpose but requires package trust.
npm install -g beestat-cli
Verify the npm package name, publisher, and version before installing, and prefer a trusted or pinned version if available.
Anyone or any process using this environment variable could query data available through the linked Beestat/ecobee account.
The skill requires a Beestat API key after linking an ecobee account, giving the CLI access to the thermostat data needed for its stated purpose.
Set environment variable: `export BEESTAT_API_KEY="your-key"`
Store the API key securely, avoid sharing shell profiles or logs that include it, and revoke or rotate the key if it is no longer needed.
Home occupancy, temperature, air-quality, and HVAC details may appear in the agent conversation when the skill is used.
The skill is designed to retrieve provider-backed home sensor data, including occupancy, which is sensitive even though it is directly aligned with the stated purpose.
beestat sensors # All sensors with temperature and occupancy
Use the skill only in trusted sessions and avoid requesting or displaying occupancy details where they could be seen by unintended people.