Samsung Smartthings
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: samsung-smartthings Version: 0.0.1 The skill is classified as suspicious due to several risky capabilities, despite aligning with its stated purpose. It requests broad SmartThings OAuth scopes (`r:devices:*`, `x:devices:*`) granting extensive control over devices. The `scripts/setup_smartthings.py` script dynamically executes remote code by using `npx -y @smartthings/cli` to install and run the SmartThings CLI. Additionally, the default OAuth redirect URI is set to `https://httpbin.org/get`, which, during the manual user authentication flow, could expose the authorization code in a third-party service's logs, even though the script itself does not exfiltrate this code.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If granted, the integration may be able to read or control other SmartThings devices in the account, not only the TV.
These scopes allow read and command execution across SmartThings devices generally, which is broader than the stated Samsung TV-control purpose.
Uses scopes r:devices:* and x:devices:* (read + execute commands).
Use the least-privileged SmartThings scopes available, clearly warn users that all-device control is being granted, and ensure agent actions are limited to the configured TV device ID.
A SmartThings PAT could appear in terminal output, logs, crash reports, or screenshots after a setup failure.
The PAT is added to the command line and the full command is included in an error message if the CLI call fails.
cmd.extend(["--token", token]) ... f"Command: {' '.join(cmd)}"Do not place tokens in logged command strings; pass credentials through safer mechanisms if supported and redact secrets from all error messages.
The temporary OAuth code may be visible to httpbin.org and may also be stored in browser history or logs.
The OAuth authorization code is sent to a third-party echo service by default rather than to a user-controlled or local callback.
Redirect URI defaults to https://httpbin.org/get ... The default redirect uses https://httpbin.org/get to show the code in the URL
Use a user-controlled redirect URI or localhost callback by default, and clearly warn users before using any third-party redirect service.
Setup depends on the current npm-published SmartThings CLI package, which can change over time.
If the SmartThings CLI is not already installed, setup may download and run the latest npm package through npx without a pinned version.
return [npx_path, "-y", "@smartthings/cli"]
Prefer installing a vetted or pinned SmartThings CLI version, or document this supply-chain dependency clearly.