Sensibo
ReviewAudited by ClawScan on May 1, 2026.
Overview
This skill is coherently aimed at Sensibo AC control, but it uses a Sensibo API key and can change device state, schedules, and automations.
This appears safe to install if you intend to let the agent control your Sensibo AC devices. Protect the API key, keep TOOLS.md private, and confirm device names, schedules, and bulk actions before allowing changes.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A wrong device ID, schedule ID, or bulk request could change or remove climate settings for one or more AC units.
The skill documents commands that can delete schedules and apply changes across multiple AC devices. This is aligned with the AC-control purpose, but it is state-changing authority that users should invoke carefully.
Delete Schedule
```bash
curl --compressed -X DELETE "https://home.sensibo.com/api/v1/pods/{device_id}/schedules/{schedule_id}/?apiKey={key}"
```
...
5. **Bulk operations:** Loop through device IDs for "turn off all ACs"Before using write, delete, or bulk operations, confirm the intended room/device and schedule, especially for recurring schedules or all-device requests.
Anyone with the API key may be able to view or control the associated Sensibo devices, depending on Sensibo's API permissions.
The skill requires a Sensibo account API key to access and control devices. This is expected for the integration, but the key likely grants meaningful account/device authority.
1. Get API key from https://home.sensibo.com/me/api
...
**Auth:** `?apiKey={key}` query parameterUse a Sensibo API key only if you trust the environment where the skill runs, avoid sharing it, and rotate the key if it may have been exposed.
If TOOLS.md is shared, synced, exposed in prompts, or readable by other tools, the Sensibo API key could be disclosed.
The setup recommends saving the API key in a persistent markdown file that the agent can later read for device lookup. This is useful for operation, but it stores sensitive credential material in plaintext context.
Store in TOOLS.md:
```markdown
## Sensibo
API Key: `{your_key}`
| Room | Device ID |Keep TOOLS.md private, do not commit or share it, and prefer a secret manager or environment variable if your agent environment supports one.