Google Home Control
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it claims, but it gives the agent broad Google Assistant control over home devices using persistent Google credentials without clear confirmation or device-scope limits.
Review carefully before installing. Only configure this skill if you are comfortable letting the agent send Google Assistant commands to your linked home devices. Prefer adding confirmation rules and limiting which devices/actions the agent may control.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad agent command could change real smart-home devices such as lights, TVs, or appliances.
The script sends whatever command string the agent passes directly to Google Assistant with an authorized bearer token. The shown code does not implement an allowlist, device scope, or confirmation step before issuing commands.
query = sys.argv[1] ... AssistConfig(text_query=query, ...) ... assistant.Assist(... metadata=[('authorization', 'Bearer ' + credentials.token)])Require explicit user confirmation before executing device-control commands, restrict the skill to approved device names and safe actions, and add extra confirmation for appliances, locks, thermostats, or security-related devices.
Installing and configuring the skill means the agent can use your Google Assistant authorization to act against linked smart-home devices.
The skill reads a persistent Google OAuth refresh token from a local credential file or environment-selected path. This is expected for Google Assistant control, but it gives the skill delegated access to the user's Google Assistant environment.
creds_path = os.environ.get('GOG_HOME_CREDS') ... '~/.config/google-oauthlib-tool/credentials.json' ... refresh_token=creds_data['refresh_token']Use a dedicated Google project/client, keep the credential file protected, revoke the OAuth grant if you stop using the skill, and avoid granting access on shared machines.
Dependency behavior may change over time, and users must trust the packages pulled during setup.
The setup asks the user to install unpinned Python packages manually. This is normal for a Google Assistant SDK integration, but there is no lockfile or install spec to make dependency versions reproducible.
pip install google-assistant-sdk[samples] google-auth-oauthlib[tool] tenacity
Pin dependency versions, provide a reviewed requirements file or install spec, and install in an isolated virtual environment as documented.