Samsung Smartthings

Things to consider before installing: - Metadata mismatch: The registry shows no required binaries or env vars, but the SKILL.md/script expect python3 and the SmartThings CLI (or npx) and optionally a SMARTTHINGS_TOKEN/PAT. Double-check you can provide the PAT and have the required tooling. - Default redirect leaks the auth code: The script defaults to redirecting to https://httpbin.org/get to let you see the code in a browser. That sends the authorization code to a third-party service (httpbin.org). If you care about privacy or security, override --redirect-uri to a URI you control (or use the console-based app creation flow). - npx runtime fetch: If you don't have a local smartthings binary, the script will run 'npx -y @smartthings/cli' which fetches and executes a package from the npm registry at runtime. If you prefer, install the official SmartThings CLI beforehand from a trusted source to avoid dynamic fetch. - Secrets storage: The script writes client id/secret and access/refresh tokens to ~/.clawdbot/.env (or CLAWDBOT_STATE_DIR/.env) and attempts to set mode 600. Inspect that file and protect it; consider using a dedicated secure secret store if needed. - Review before running: Read the bundled scripts (setup_smartthings.py) and consider running the commands manually or in a controlled environment the first time. If anything about the redirect URI, PAT handling, or CLI invocation makes you uncomfortable, do not run the script until you can safely provide an alternate redirect URI and a vetted CLI installation. Overall: the skill appears to implement its stated function, but the httpbin default redirect and runtime npx execution are notable risks and the published metadata is inconsistent with the actual requirements. If you proceed, correct the redirect URI and install/verify the SmartThings CLI yourself rather than relying on npx.