Dyson Fan Control
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: dyson-cli Version: 0.1.0 The OpenClaw AgentSkills bundle for 'dyson-cli' is classified as benign. The skill's purpose is clearly defined as controlling Dyson devices locally via MQTT, and all code and instructions align with this purpose. While Dyson account credentials are stored locally in `~/.dyson/config.json` after initial setup, this is a necessary and common practice for CLI tools requiring persistent authentication, and there is no evidence of exfiltration of these or any other sensitive data. All network communication initiated by the skill, beyond the initial Dyson cloud login for credential fetching, is confined to the local network to interact with Dyson devices. The `SKILL.md` instructions do not contain any prompt injection attempts to subvert the agent or perform unauthorized actions, and embedded shell commands are benign, processing the skill's own output.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly, the agent could turn a device on or off, change fan speed, or enable heating.
The skill exposes commands that can change the state of a physical Dyson fan/heater. This is expected for the skill, but users should be aware that invocations can affect comfort, energy use, and heating behavior.
dyson on ... dyson off ... dyson heat on ... dyson heat target 22
Use the skill only for explicit Dyson-control requests, and confirm heating or power changes when the impact matters.
Anyone with access to the saved credential file may be able to control configured Dyson devices on the local network.
Setup prompts for Dyson account authentication and saves device credentials locally. This is disclosed and necessary for local device control, but it is still sensitive account/device authority.
password = click.prompt("Enter your Dyson account password", hide_input=True) ... "credential": device.credential ... save_config(config)Run setup only from a trusted install, keep `~/.dyson/config.json` private, and remove the config if you no longer use the skill.
Installing directly from a moving remote repository could install code different from the reviewed artifact if the repository changes.
The documented install path pulls code from a GitHub repository rather than a pinned release in the provided registry install spec. This is a common manual CLI installation pattern, but users should verify the source.
pip install git+https://github.com/tmustier/dyson-cli.git
Prefer a reviewed release, pinned commit, or trusted package source before installing and running setup.