Samsung Smartthings
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This looks like a real SmartThings TV-control skill, but it requests broad smart-home control and has credential-handling choices that users should review before installing.
Install only if you are comfortable granting broad SmartThings device-control access. Prefer a private redirect URI instead of httpbin, avoid sharing setup logs, rotate the PAT if it appears in output, and review the full setup script before running because the supplied source view is truncated.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If granted, the integration may be able to read or control other SmartThings devices in the account, not only the TV.
These scopes allow read and command execution across SmartThings devices generally, which is broader than the stated Samsung TV-control purpose.
Uses scopes r:devices:* and x:devices:* (read + execute commands).
Use the least-privileged SmartThings scopes available, clearly warn users that all-device control is being granted, and ensure agent actions are limited to the configured TV device ID.
A SmartThings PAT could appear in terminal output, logs, crash reports, or screenshots after a setup failure.
The PAT is added to the command line and the full command is included in an error message if the CLI call fails.
cmd.extend(["--token", token]) ... f"Command: {' '.join(cmd)}"Do not place tokens in logged command strings; pass credentials through safer mechanisms if supported and redact secrets from all error messages.
The temporary OAuth code may be visible to httpbin.org and may also be stored in browser history or logs.
The OAuth authorization code is sent to a third-party echo service by default rather than to a user-controlled or local callback.
Redirect URI defaults to https://httpbin.org/get ... The default redirect uses https://httpbin.org/get to show the code in the URL
Use a user-controlled redirect URI or localhost callback by default, and clearly warn users before using any third-party redirect service.
Setup depends on the current npm-published SmartThings CLI package, which can change over time.
If the SmartThings CLI is not already installed, setup may download and run the latest npm package through npx without a pinned version.
return [npx_path, "-y", "@smartthings/cli"]
Prefer installing a vetted or pinned SmartThings CLI version, or document this supply-chain dependency clearly.