ClawHub

TRÅDFRI Lights

v0.2.0

Control IKEA TRÅDFRI lights and groups through a local TRÅDFRI gateway using the native gateway API via node-tradfri-client. Use when the user wants to list...

0· 83·0 current·0 all-time
by@ymebosma
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (local TRÅDFRI gateway control) align with the provided scripts and instructions: the script uses node-tradfri-client and operates only against a locally reachable gateway host. Minor metadata mismatch: the registry lists no required env vars or binaries, while the SKILL.md and script require Node.js and allow TRADFRI_HOST/TRADFRI_IDENTITY/TRADFRI_PSK (and a few tuning env vars). This appears to be an omission in metadata rather than malicious intent.
Instruction Scope
SKILL.md instructs running the included script and installing dependencies (npm install). The runtime instructions and operating rules limit actions to the local TRÅDFRI gateway and ask for confirmation on bulk/house actions; the script reads local config.json and environment variables. The instructions do not direct data to external endpoints beyond the gateway, nor do they ask to read unrelated system files.
Install Mechanism
This is instruction-only (no autoinstall spec). The user is told to run `npm install` in the skill folder to install node-tradfri-client. No downloads from untrusted URLs or remote extract/install steps are present. The lack of an install spec and the requirement to run npm manually is normal but should be noted by the user.
Credentials
The script legitimately needs only local gateway credentials (identity/psk) and the gateway host. Those are the only sensitive values used. However, the registry metadata did not declare these environment variables or the implicit Node requirement; additionally the script accepts extra tuning env vars (TRADFRI_SETTLE_MS, TRADFRI_RETRIES, TRADFRI_RETRY_DELAY_MS) that are not documented in the registry metadata. This is a proportional but partly undocumented set of env vars.
Persistence & Privilege
The skill is not always-enabled, does not request elevated platform privileges, and does not modify other skills or global agent configuration. It runs as a local script when invoked and therefore has only the privileges of the process that executes it.
Assessment
This skill appears to do what it says: control a local IKEA TRÅDFRI gateway. Before installing/run it: 1) Ensure Node.js is available and run `npm install` in the skill folder as instructed. 2) Provide gateway credentials only via config.json or the env vars TRADFRI_HOST / TRADFRI_IDENTITY / TRADFRI_PSK — do not publish these values. 3) Be aware the script must be able to reach the gateway on your local network; run it from a host with network access to the gateway. 4) Review scripts/tradfri.js yourself (it is included) if you have concerns — it operates locally and does not contact external services. 5) Note minor metadata omissions: the registry did not declare the env vars or the Node binary requirement; treat that as a packaging/documentation issue rather than a security red flag. If you want higher assurance, run the script in a controlled environment (or inspect and run it manually) before allowing autonomous agent invocation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c610twdqp9f8bv4ywvhsem9846n2b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments