Beestat
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: beestat Version: 0.1.0 The skill bundle defines a legitimate purpose: querying ecobee thermostat data via the Beestat API using a CLI. The `SKILL.md` provides standard installation instructions (`npm install -g beestat-cli`) and usage examples that are consistent with the stated goal. There is no evidence of prompt injection against the agent, data exfiltration, malicious execution, persistence mechanisms, or obfuscation within the provided files. The required environment variable `BEESTAT_API_KEY` is a standard practice for API access.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user who installs the skill will need to trust the npm package that provides the beestat command.
The skill depends on a globally installed external npm package whose implementation is not included or pinned in the provided artifacts; this is expected for the CLI purpose but requires package trust.
npm install -g beestat-cli
Verify the npm package name, publisher, and version before installing, and prefer a trusted or pinned version if available.
Anyone or any process using this environment variable could query data available through the linked Beestat/ecobee account.
The skill requires a Beestat API key after linking an ecobee account, giving the CLI access to the thermostat data needed for its stated purpose.
Set environment variable: `export BEESTAT_API_KEY="your-key"`
Store the API key securely, avoid sharing shell profiles or logs that include it, and revoke or rotate the key if it is no longer needed.
Home occupancy, temperature, air-quality, and HVAC details may appear in the agent conversation when the skill is used.
The skill is designed to retrieve provider-backed home sensor data, including occupancy, which is sensitive even though it is directly aligned with the stated purpose.
beestat sensors # All sensors with temperature and occupancy
Use the skill only in trusted sessions and avoid requesting or displaying occupancy details where they could be seen by unintended people.