Samsung Smartthings
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If granted, the integration may be able to read or control other SmartThings devices in the account, not only the TV.
These scopes allow read and command execution across SmartThings devices generally, which is broader than the stated Samsung TV-control purpose.
Uses scopes r:devices:* and x:devices:* (read + execute commands).
Use the least-privileged SmartThings scopes available, clearly warn users that all-device control is being granted, and ensure agent actions are limited to the configured TV device ID.
A SmartThings PAT could appear in terminal output, logs, crash reports, or screenshots after a setup failure.
The PAT is added to the command line and the full command is included in an error message if the CLI call fails.
cmd.extend(["--token", token]) ... f"Command: {' '.join(cmd)}"Do not place tokens in logged command strings; pass credentials through safer mechanisms if supported and redact secrets from all error messages.
The temporary OAuth code may be visible to httpbin.org and may also be stored in browser history or logs.
The OAuth authorization code is sent to a third-party echo service by default rather than to a user-controlled or local callback.
Redirect URI defaults to https://httpbin.org/get ... The default redirect uses https://httpbin.org/get to show the code in the URL
Use a user-controlled redirect URI or localhost callback by default, and clearly warn users before using any third-party redirect service.
Setup depends on the current npm-published SmartThings CLI package, which can change over time.
If the SmartThings CLI is not already installed, setup may download and run the latest npm package through npx without a pinned version.
return [npx_path, "-y", "@smartthings/cli"]
Prefer installing a vetted or pinned SmartThings CLI version, or document this supply-chain dependency clearly.