Tuya Smart Home
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to control Tuya devices as advertised, but it can directly send arbitrary commands to physical smart-home devices without explicit confirmation or safety limits.
Review this before installing if you do not want an agent to operate real-world devices. Use it only with explicit user confirmation, keep Tuya secrets and local keys private, and prefer scoped or allowlisted commands for high-impact devices.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could turn devices on or off, move curtains, or dispense pet food if given credentials and device details; mistakes could have real-world effects.
The script can send arbitrary cloud command codes or local DP IDs and values to devices, and the artifacts do not show confirmation, allowlisting, or safety checks before changing device state.
resp = api.post(f'/v1.0/devices/{device_id}/commands', {'commands': [{'code': code, 'value': value}]}) ... device.set_value(int(dp_id), value)Only use it for explicitly requested device actions, and add a clear confirmation step plus command/value allowlists for high-impact actions such as feeding, plugs, curtains, or reset-like commands.
Anyone or any agent with these values may be able to query or control the linked Tuya devices.
The skill clearly discloses that it needs Tuya cloud credentials and device local keys, which are sensitive because they authorize access to smart-home devices.
Requires Tuya IoT Platform credentials ... `ACCESS_ID` ... `ACCESS_SECRET` ... Local Mode ... `LOCAL_KEY`
Provide credentials only when needed, avoid sharing them in persistent chat/history, rotate them if exposed, and consider documenting them in the registry metadata as required credentials.
Different or compromised package versions could affect how device credentials and commands are handled.
The installation guidance uses unpinned third-party Python packages. This is normal for this integration, but users depend on whatever package versions pip resolves at install time.
pip3 install tinytuya tuya-connector-python
Install from trusted sources, consider pinning known-good versions, and review package provenance before use.