Tuya Smart Home
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could turn devices on or off, move curtains, or dispense pet food if given credentials and device details; mistakes could have real-world effects.
The script can send arbitrary cloud command codes or local DP IDs and values to devices, and the artifacts do not show confirmation, allowlisting, or safety checks before changing device state.
resp = api.post(f'/v1.0/devices/{device_id}/commands', {'commands': [{'code': code, 'value': value}]}) ... device.set_value(int(dp_id), value)Only use it for explicitly requested device actions, and add a clear confirmation step plus command/value allowlists for high-impact actions such as feeding, plugs, curtains, or reset-like commands.
Anyone or any agent with these values may be able to query or control the linked Tuya devices.
The skill clearly discloses that it needs Tuya cloud credentials and device local keys, which are sensitive because they authorize access to smart-home devices.
Requires Tuya IoT Platform credentials ... `ACCESS_ID` ... `ACCESS_SECRET` ... Local Mode ... `LOCAL_KEY`
Provide credentials only when needed, avoid sharing them in persistent chat/history, rotate them if exposed, and consider documenting them in the registry metadata as required credentials.
Different or compromised package versions could affect how device credentials and commands are handled.
The installation guidance uses unpinned third-party Python packages. This is normal for this integration, but users depend on whatever package versions pip resolves at install time.
pip3 install tinytuya tuya-connector-python
Install from trusted sources, consider pinning known-good versions, and review package provenance before use.