Loxone
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate Loxone smart-home skill, but it deserves review because it handles home-control credentials, can change real devices, and an included auth helper can print a live session token.
Install only if you are comfortable giving the skill Loxone Miniserver credentials and smart-home control authority. Use a least-privilege Loxone account, prefer HTTPS, keep config.json chmod 600, avoid printing or sharing token output, and require explicit confirmation before any device-control action.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A printed Loxone token may allow access to the Miniserver until it expires if someone or another tool can see the output.
The helper constructs a WebSocket URL containing the authentication token and prints it. In an agent setting, that token could enter the conversation transcript, logs, or shell history.
return f"{scheme}://{self.host}/ws/rfc6455?token={self.token}" ... print(f" {auth.get_ws_url()}")Avoid running the auth test helper unless needed, remove or mask token printing, use a least-privilege Loxone account, and keep config/output out of shared logs.
If used incorrectly, the agent could turn lights, switches, or other connected devices on or off.
The skill exposes commands that can mutate smart-home device state, while also documenting an explicit user-request guard.
`python3 scripts/loxone.py control "<Room>" "<Control>" on|off` ... `Treat as **read-only by default**; only use control commands when explicitly requested.`
Only allow control commands after a clear user request, verify the room/device/action before execution, and prefer read-only status commands for general queries.
Room names, device names, and home activity patterns may be saved locally or shown in the agent session.
The watcher caches the home structure locally and can stream live state changes indefinitely when invoked without a duration.
cache = Path(__file__).parent.parent / ".cache" ... out = cache / "LoxAPP3.json" ... parser.add_argument("--duration", type=float, default=0, help="Watch duration in seconds (0=forever)")Use room/control filters and finite durations when possible, and protect or periodically remove cached structure files if the device layout is sensitive.
Installation may fail or rely on whatever package versions are already present in the environment.
This conflicts with the provided code and SKILL frontmatter that use/declare external Python packages such as requests and websockets, and there is no install spec to pin or install them.
No additional Python packages required. Uses only Python standard library (WebSocket, HTTP).
Document and pin required Python packages, and align SETUP.md, registry metadata, and any install instructions.