Blueair Expert
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate Blueair purifier integration, but it needs Blueair account credentials, local Node execution, and permission to change real device settings.
Before installing, confirm you are comfortable giving the skill access to your Blueair account and purifier controls. Store the config file securely, consider a dedicated Blueair account, review npm dependencies, and require explicit confirmation before the agent changes device settings.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process that can read this config file may be able to use the Blueair account, and the skill can act with that account's device permissions.
The skill requires Blueair login credentials stored locally and transmitted to provider authentication/API endpoints. This is expected for the stated purpose, but it is sensitive account access.
Create a `~/.blueair/config.json` file ... { "username": "your-email@example.com", "password": "your-password", "region": "CN" } ... credentials are sent to Blueair's official authentication endpointsUse a dedicated or low-privilege Blueair account if possible, protect ~/.blueair/config.json file permissions, and avoid pasting passwords into chat unless you intentionally choose to.
The agent can turn purifiers on/off, change fan speed, and alter modes, which may affect comfort, noise, energy use, and air quality.
The skill can invoke a local command that changes purifier state. The instruction to confirm intent helps keep this purpose-aligned, but it is still real device-control authority.
1. Confirm the intent. 2. Run `node dist/set_state.js <uuid> <attribute> <value>` ... "Turn off" -> `node dist/set_state.js <uuid> standby true` ... "Max speed" -> `node dist/set_state.js <uuid> fanspeed 3`
Only approve device changes you understand, and ask the agent to summarize exactly which purifier and setting it will change before it runs the command.
Installing dependencies runs the normal npm supply chain for this package, which is outside the skill text itself.
The skill's own metadata says it needs npm dependencies and local configuration, while the registry install specification is absent. The package includes package.json/package-lock.json, so this is a disclosed setup step, not hidden execution.
install_steps:
- "npm install"
- "Create ~/.blueair/config.json"Review package.json/package-lock.json before running npm install, and install in a normal user account rather than with elevated privileges.