Samsung Smartthings
v0.0.1Control Samsung TVs via SmartThings (OAuth app + device control).
⭐ 2· 2k·1 current·1 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's behavior (provision an OAuth app, exchange code, store client id/secret and tokens, call the SmartThings CLI to control devices) is coherent with the described purpose. However registry metadata lists no required binaries or env vars while SKILL.md (and the script) rely on python3, the SmartThings CLI (or npx), and the optional SMARTTHINGS_TOKEN / SMARTTHINGS_PAT PAT. That mismatch between the published metadata and the runtime instructions is an inconsistency that could confuse users.
Instruction Scope
The SKILL.md and script ask to create an OAuth app and write secrets (SMARTTHINGS_CLIENT_SECRET, tokens) into ~/.clawdbot/.env — this is expected for the task. However the default OAuth redirect URI is https://httpbin.org/get which will send the authorization code to a third-party service (httpbin.org) by default; that leaks the code to an external endpoint unless the user overrides the redirect URI. The script also invokes the SmartThings CLI (via subprocess), which runs external code/commands on the host. The instructions do not request unrelated files or credentials beyond SmartThings-related tokens.
Install Mechanism
This is an instruction-only skill with a bundled Python script, so there's no packaged installer — good. But the script will invoke the SmartThings CLI via either an installed 'smartthings' binary or 'npx -y @smartthings/cli'. Using npx -y causes automatic fetching and execution of code from the npm registry at runtime, which is a higher-risk dynamic install step. SKILL.md metadata also suggests brew installs for python/node, but the registry install metadata does not declare those — another inconsistency.
Credentials
The script legitimately needs SmartThings credentials: a PAT (SMARTTHINGS_TOKEN / SMARTTHINGS_PAT) to create the OAuth app headlessly, and it writes SMARTTHINGS_APP_ID, SMARTTHINGS_CLIENT_ID, SMARTTHINGS_CLIENT_SECRET and token values to the user's CLAWDBOT state dir. These environment accesses are proportional to the described capability. The skill does not request unrelated credentials, but the registry metadata claims no required env vars while the runtime requires a PAT — the mismatch is noteworthy.
Persistence & Privilege
The skill does not request always:true and will only run when invoked. It writes credentials into a single file under the user's state directory (~/.clawdbot/.env or CLAWDBOT_STATE_DIR), which is expected for storing API credentials. It does not request system-wide privileges or modify other skills' configurations.
What to consider before installing
Things to consider before installing:
- Metadata mismatch: The registry shows no required binaries or env vars, but the SKILL.md/script expect python3 and the SmartThings CLI (or npx) and optionally a SMARTTHINGS_TOKEN/PAT. Double-check you can provide the PAT and have the required tooling.
- Default redirect leaks the auth code: The script defaults to redirecting to https://httpbin.org/get to let you see the code in a browser. That sends the authorization code to a third-party service (httpbin.org). If you care about privacy or security, override --redirect-uri to a URI you control (or use the console-based app creation flow).
- npx runtime fetch: If you don't have a local smartthings binary, the script will run 'npx -y @smartthings/cli' which fetches and executes a package from the npm registry at runtime. If you prefer, install the official SmartThings CLI beforehand from a trusted source to avoid dynamic fetch.
- Secrets storage: The script writes client id/secret and access/refresh tokens to ~/.clawdbot/.env (or CLAWDBOT_STATE_DIR/.env) and attempts to set mode 600. Inspect that file and protect it; consider using a dedicated secure secret store if needed.
- Review before running: Read the bundled scripts (setup_smartthings.py) and consider running the commands manually or in a controlled environment the first time. If anything about the redirect URI, PAT handling, or CLI invocation makes you uncomfortable, do not run the script until you can safely provide an alternate redirect URI and a vetted CLI installation.
Overall: the skill appears to implement its stated function, but the httpbin default redirect and runtime npx execution are notable risks and the published metadata is inconsistent with the actual requirements. If you proceed, correct the redirect URI and install/verify the SmartThings CLI yourself rather than relying on npx.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
📺 Clawdis
Binspython3, npx
Install
Install Python (brew)
Bins: python3
brew install pythonInstall Node.js (brew)
Bins: node, npx
brew install nodelatest
Samsung Smart TV (SmartThings)
This skill provisions a SmartThings OAuth app and stores the credentials for Clawdbot.
Setup (one-time)
- Create the SmartThings OAuth app headlessly (requires a PAT) and print a phone login URL, using plain text instructions only.
- Open the URL on your phone, log in, then copy the code query parameter from the redirect page and re-run to exchange it.
- If PAT app creation fails (403), create the app on a normal machine using the SmartThings CLI login flow and then set the client id/secret in the .env before running the code-exchange step.
- Re-run to refresh credentials: describe the action in plain text (no code snippets).
What it does
- Creates an OAuth-In SmartApp with display name smartthings-clawdbot.
- Uses scopes r:devices:* and x:devices:* (read + execute commands).
- Redirect URI defaults to https://httpbin.org/get (can be overridden via redirect-uri option).
- Writes SMARTTHINGS_APP_ID, SMARTTHINGS_CLIENT_ID, SMARTTHINGS_CLIENT_SECRET plus OAuth tokens to ~/.clawdbot/.env (or CLAWDBOT_STATE_DIR/.env).
- Uses the SmartThings CLI to create the OAuth app when a PAT is provided.
- Exchanges the OAuth code for tokens via direct HTTPS to SmartThings (not via the CLI).
Device setup
- Use the SmartThings CLI to list devices in JSON and locate the TV device id.
- Store it as SMARTTHINGS_DEVICE_ID in the same .env file.
Common actions (plain text only)
- List devices and capabilities via the SmartThings CLI.
- Check device status.
- Send switch/volume/mute commands to the TV device.
App launch (Netflix/Prime Video)
- App launch is device-specific; look for applicationLauncher or samsungtv in capabilities.
- Discover app IDs in device status under supportedApps or installedApps.
- Launch apps using the SmartThings CLI and the appId from your TV.
- Example IDs are not universal; use the IDs listed for your TV.
App discovery (when a user asks to open a specific app)
- First, open the target app manually on the TV.
- Then query device status and look for fields like tvChannelName, installedApps, or supportedApps to extract the current appId.
- Save the appId for future use; some IDs are device-specific.
- Known app id patterns (examples):
- Standard/global apps (often stable):
- Netflix: org.tizen.netflix-app
- Amazon Prime: org.tizen.primevideo
- Pattern: org.tizen.[app-name]
- Device-specific apps (vary per TV):
- YouTube: {random}.TizenYouTube
- Joyn: {random}.ZAPPNVOLLTVFREIGESTREAMT
- Pattern: {random}.{PackageName}
- Standard/global apps (often stable):
- Avoid guessing; always confirm the appId from the TV’s status payload.
Notes
- The script defaults to headless mode and will not open a browser.
- Provide a PAT via SMARTTHINGS_TOKEN (or SMARTTHINGS_PAT) to authenticate.
- Create a PAT here: https://account.smartthings.com/tokens
- OAuth flow: open the printed URL on your phone, then copy the code query parameter from the redirect page and re-run with auth-code.
- The default redirect uses https://httpbin.org/get to show the code in the URL; you can switch to your own redirect URI if you don’t want to use httpbin.
- Re-running the setup is safe; it updates the env entries in place.
- Response style: do not include code blocks or inline command snippets; use plain text steps only.
Comments
Loading comments...