Homey
v1.1.2Control Athom Homey smart home devices via local (LAN/VPN) or cloud APIs. List/control devices, trigger flows, query zones. Works with Homey Pro, Cloud, and Bridge.
⭐ 3· 2.8k·6 current·6 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the code and runtime instructions. The package implements a CLI (homeycli) that uses the official homey-api library to list/control devices, flows, and zones. Required binary 'homeycli' and the node install that produces it are appropriate for this purpose. No unrelated credentials or tools are requested.
Instruction Scope
SKILL.md and CLI docs are narrowly scoped to Homey control: auth setup (local API key or cloud token), device/flow commands, snapshot, and JSON output. Instructions reference ~/.homey/config.json and environment variables (HOMEY_TOKEN, HOMEY_LOCAL_TOKEN, HOMEY_ADDRESS) — these are the expected configuration locations for storing Homey tokens. The skill prompts for tokens and recommends --stdin to avoid shell history, which is reasonable. Note: the skill can control sensitive devices (locks, flows) if given tokens.
Install Mechanism
Install spec uses a Node package install from the included package (npm install in the skill directory) and creates the 'homeycli' binary. This pulls dependencies from npm (including homey-api). That's standard for a Node CLI but carries the usual supply-chain risk of npm packages and any postinstall scripts in dependencies. No downloads from obscure external URLs or URL shorteners were observed.
Credentials
The skill does not require unrelated credentials. It optionally uses Homey credentials (HOMEY_TOKEN, HOMEY_LOCAL_TOKEN) and HOMEY_ADDRESS; these are appropriate. SKILL.md/frontmatter did not declare required env vars because tokens are optional until you configure the CLI — this is coherent. Be aware that any saved token or config (~/.homey/config.json or env vars) gives the skill (and therefore any agent invoking the CLI) full ability to control your Homey devices.
Persistence & Privilege
always:false and normal autonomous invocation are set. The install files write the CLI and may create/modify ~/.homey/config.json to store tokens (expected behavior). The skill does not request system-wide privileges or alter other skills' configs.
Assessment
This skill appears to be what it says: a Homey CLI wrapper meant for agent use. Before installing, consider: 1) Tokens are powerful — any HOMEY_TOKEN or local API key you save or export grants control of your devices (locks, switches, flows). Only install if you trust the author/repo. 2) The installer runs npm install and will fetch dependencies from the npm registry; review package.json and dependency tree if you have supply-chain concerns. 3) The CLI stores credentials in ~/.homey/config.json (or reads env vars); if you later remove the skill, check and delete that file and rotate tokens if needed. 4) Prefer local mode when the agent runs on your LAN (limits exposure) and use --stdin or hidden prompt to avoid leaving tokens in shell history. 5) If you want extra assurance, inspect package.json and the included JS files (lib/) yourself or run the CLI in an isolated environment (container/VM) before giving it real tokens.Like a lobster shell, security has layers — review code before you run it.
latestvk9799dfmmz4zwar29xqbskpbms7z1dtt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binshomeycli
Install
Install Homey CLI
Bins: homeycli
npm i -g .