Skillv1.0.26

ClawScan security

Meross Smart · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 6:41 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, environment needs, and runtime instructions align with a Meross cloud plug controller; required credentials and a single npm dependency are proportional to its purpose.
Guidance: This skill appears to do what it says: control Meross cloud plugs. Before installing, consider: 1) it requires your Meross account email and password — only provide credentials you trust to the skill and avoid storing them in files; 2) you will need to run 'npm install' which will fetch the meross-cloud package from npm — if you have supply-chain concerns, run in an isolated environment or inspect that dependency separately; 3) the skill writes and reads a local devices.json (registry) — review that file and set appropriate filesystem permissions; 4) if you are uncomfortable sharing long‑lived credentials, create a dedicated Meross account or rotate credentials after testing; 5) the agent can invoke the skill autonomously by default (platform default) — if you don't want autonomous actions, restrict or disable the skill in agent settings. Overall the footprint and requirements are proportionate to the stated purpose.

Review Dimensions

Purpose & Capability: okName/description (control Meross plugs) match the code and instructions. The skill only requires MEROSS_EMAIL and MEROSS_PASSWORD (and optional MEROSS_REGION) which are appropriate for authenticating to Meross cloud. The included meross-cloud dependency is expected for the stated function.
Instruction Scope: okSKILL.md confines runtime to the local CLI (node dist/cli.js) and enumerates commands and registry behavior. It does not instruct reading unrelated system files or exfiltrating data. It explicitly forbids writing credentials to registry files and restricts capabilities to 'switch' only.
Install Mechanism: noteThere is no platform-level install spec; SKILL.md instructs running npm install and npm run build in new environments. The package relies on the public npm package meross-cloud (declared in package.json). This is reasonable but means runtime will fetch third‑party code from the npm registry — the user should be aware of supply-chain risk and run in an isolated/test environment if unsure.
Credentials: okRequested environment variables are MEROSS_EMAIL and MEROSS_PASSWORD (primary), with MEROSS_REGION optional. These are necessary and proportionate for authenticating to Meross cloud. The code does not read other unexpected env vars or config paths.
Persistence & Privilege: okThe skill is not forced-always (always: false) and does not request elevated or cross-skill configuration. It reads/writes a local devices.json in the skill root (as documented). Autonomous model invocation remains enabled by default but is not combined with other concerning privileges here.