ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Starling Home Hub (Nest/Google Home)

Controls Nest and Google Home smart home devices via the Starling Home Hub's local REST API. Supports thermostats, cameras, Nest Protects, Nest × Yale locks, temperature sensors, home/away control, and Nest weather service. Use this skill when managing Nest/Google Home devices through Starling Home Hub — reading device status, setting temperatures, getting camera snapshots, locking/unlocking doors, checking smoke/CO alerts, and toggling home/away mode.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 650 · 0 current installs · 0 all-time installs
by@michaeljmoody
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description are consistent with the actual artifacts: SKILL.md documents a local REST API integration and the included script (scripts/starling.sh) implements calls to that API. Required inputs (HUB IP and API key) are exactly what a local Starling Developer Connect integration needs; no unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Runtime instructions are limited to setting STARLING_HUB_IP and STARLING_API_KEY and invoking the provided script. The SKILL.md and script only reference the hub API, snapshot files the user requests, and standard tooling (curl, optional jq). The script warns against passing keys on the command line and recommends secure handling; it does not read arbitrary system files or exfiltrate data to third parties.
Install Mechanism
There is no install spec (instruction-only) and the repository only includes a single Bash wrapper script and API reference. Nothing is downloaded from external URLs or installed automatically, so no unexpected install-time code is introduced.
Credentials
Only two environment variables are required: STARLING_HUB_IP (non-secret) and STARLING_API_KEY (secret). Both are necessary and appropriate for accessing the local hub. The SKILL.md and script use only these variables.
Persistence & Privilege
always:false and the skill is user-invocable (default). It does not request permanent presence, modify other skills, or access unrelated system configs. Note: autonomous model invocation is enabled by default (disable-model-invocation:false) but this is normal and not combined with other concerning flags.
Assessment
This skill appears coherent and implements a local Starling Home Hub client via an included Bash script. Before installing: (1) only provide STARLING_API_KEY and the hub IP — treat that key as sensitive and create a least-privilege/read-only key if possible; (2) avoid passing the key with --key (visible in process lists); use the STARLING_API_KEY env var instead; (3) prefer supplying --cacert to pin the hub certificate rather than accepting -k (curl -k disables TLS verification and is acceptable only on a fully trusted local network); (4) never port-forward the hub ports to the internet; (5) snapshots are written with owner-only permissions by the script but still handle them carefully; (6) inspect scripts you run locally (scripts/starling.sh is included and readable) and ensure you trust the source before giving the agent access to your hub credentials. If you plan to allow autonomous agent actions, be aware the agent could issue commands to your hub while it has access to the API key — consider limiting the skill's use or the key's permissions accordingly.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
cameravk978rtqxkvd3qg8r9mpmhqj4qs810tctgoogle-homevk978rtqxkvd3qg8r9mpmhqj4qs810tcthome-automationvk978rtqxkvd3qg8r9mpmhqj4qs810tctiotvk978rtqxkvd3qg8r9mpmhqj4qs810tctlatestvk978rtqxkvd3qg8r9mpmhqj4qs810tctlockvk978rtqxkvd3qg8r9mpmhqj4qs810tctnestvk978rtqxkvd3qg8r9mpmhqj4qs810tctsmart-homevk978rtqxkvd3qg8r9mpmhqj4qs810tctthermostatvk978rtqxkvd3qg8r9mpmhqj4qs810tct

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Starling Home Hub (Nest/Google Home)

Community skill — not affiliated with or endorsed by Starling LLC, Google, Nest, or Apple. Nest is a trademark of Google LLC. Starling Home Hub is a product of Starling LLC. This skill requires a Starling Home Hub with firmware 8.0+ and the Developer Connect API enabled.

Overview

Control Nest smart home devices through the Starling Home Hub Developer Connect (SDC) local REST API using the starling.sh script.

Required Environment Variables

VariableRequiredSecretDescription
STARLING_HUB_IPYesNoLocal IP address of your Starling Home Hub (e.g. 192.168.1.151)
STARLING_API_KEYYesYesAPI key created in the Starling Home Hub app (Developer Connect section)

Setup

Set these environment variables (never hardcode keys in scripts):

export STARLING_HUB_IP="192.168.1.xxx"
export STARLING_API_KEY="your-api-key"     # From Starling Home Hub app

The script is at: scripts/starling.sh

Options: --http (downgrade to HTTP — not recommended), --raw (skip jq formatting)

HTTPS is the default. The script uses port 3443 unless --http is specified.

Security

API Key Management

  • Always use the STARLING_API_KEY env var — never pass keys via --key (visible in ps output)
  • Never store keys in scripts, SKILL.md, or version-controlled files
  • Use a .env file with restricted permissions: chmod 600 .env
  • Consider a secrets manager for production/automated setups

Least Privilege

  • Create API keys with minimum required permissions in the Starling Home Hub app
  • Use read-only keys unless you need to set properties or access camera streams
  • Create separate keys for different automation tasks if possible

TLS Certificate Verification

  • HTTPS is the default, but the script uses curl -k (skip cert verification) because Starling Home Hub uses a self-signed certificate
  • This is acceptable on a trusted local network but increases MITM risk on untrusted networks
  • To pin the hub's certificate instead: starling.sh --cacert /path/to/hub-cert.pem status
  • When --cacert is provided, -k is not used and full certificate verification applies

API Key in URL

  • The Starling Developer Connect API requires the key as a URL query parameter (?key=...) — this is the API's design, not a skill choice
  • URL query parameters can appear in access logs and browser history — this is mitigated by the API being local-only (no intermediary proxies/CDNs)
  • Always use HTTPS to encrypt the key in transit on your local network

Network Security

  • The Starling API is local network only by design — no cloud exposure
  • Never port-forward 3080 or 3443 to the internet
  • Always use HTTPS (default) to prevent local network sniffing of API keys and device data

Snapshot Handling

  • Camera snapshots contain sensitive imagery — don't store in world-readable locations
  • The script sets snapshot files to chmod 600 (owner-only) automatically
  • Clean up temporary snapshot files when no longer needed

Best Practices

Always Check Status First

Before making device calls, verify the hub is ready:

scripts/starling.sh status

Confirm apiReady: true and connectedToNest: true before proceeding.

Respect Rate Limits

These limits are enforced by the Nest cloud:

  • POST (set properties): max once per second per device
  • Snapshot: max once per 10 seconds per camera
  • GET (read properties/device list): no cloud rate limit (local cache)

Idempotent Operations

Safe to retry without side effects:

  • All GET operations (status, devices, device, get, snapshot)
  • SET operations with the same values (setting temp to 22 when already 22)
  • stream-extend (just resets the keepalive timer)

Not idempotent: stream-start (creates a new stream each time)

Error Handling

The script provides actionable error messages:

  • 401: Check API key and permissions — key is never exposed in error output
  • 404: Verify device ID and property name
  • 400: Check parameter values and types

Common Workflows

List All Devices

scripts/starling.sh devices

Read Device Properties

scripts/starling.sh device <id>          # All properties
scripts/starling.sh get <id> <property>  # Single property

Set Device Properties

scripts/starling.sh set <id> key=value [key=value...]

Camera Snapshots

scripts/starling.sh snapshot <id> --output photo.jpg --width 1280

Camera Streaming (WebRTC)

scripts/starling.sh stream-start <id> <base64-sdp-offer>
scripts/starling.sh stream-extend <id> <stream-id>   # Every 60s
scripts/starling.sh stream-stop <id> <stream-id>

Common Tasks

Set thermostat to 22°C:

scripts/starling.sh set <thermostat-id> targetTemperature=22

Set HVAC mode:

scripts/starling.sh set <thermostat-id> hvacMode=heat

Check for motion on camera:

scripts/starling.sh get <camera-id> motionDetected

Lock/unlock a door:

scripts/starling.sh set <lock-id> targetState=locked

Get camera snapshot:

scripts/starling.sh snapshot <camera-id> --output front-door.jpg

Check smoke/CO status:

scripts/starling.sh get <protect-id> smokeDetected
scripts/starling.sh get <protect-id> coDetected

Set home/away:

scripts/starling.sh set <home-away-id> homeState=away

API Reference

See references/api-reference.md for full device property details, writable properties, error codes, and endpoint documentation.

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…