Blueair Expert
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: blueair-openclaw-skill Version: 0.1.1 The skill bundle is a legitimate tool for managing Blueair air purifiers via an MCP server or CLI scripts. It interacts with official Blueair/Gigya endpoints (e.g., accounts.us1.gigya.com and execute-api.us-east-2.amazonaws.com) to authenticate and control devices. Credentials are handled locally through environment variables or a configuration file (~/.blueair/config.json), and the SKILL.md instructions are strictly aligned with the stated purpose of air quality management. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process that can read this config file may be able to use the Blueair account, and the skill can act with that account's device permissions.
The skill requires Blueair login credentials stored locally and transmitted to provider authentication/API endpoints. This is expected for the stated purpose, but it is sensitive account access.
Create a `~/.blueair/config.json` file ... { "username": "your-email@example.com", "password": "your-password", "region": "CN" } ... credentials are sent to Blueair's official authentication endpointsUse a dedicated or low-privilege Blueair account if possible, protect ~/.blueair/config.json file permissions, and avoid pasting passwords into chat unless you intentionally choose to.
The agent can turn purifiers on/off, change fan speed, and alter modes, which may affect comfort, noise, energy use, and air quality.
The skill can invoke a local command that changes purifier state. The instruction to confirm intent helps keep this purpose-aligned, but it is still real device-control authority.
1. Confirm the intent. 2. Run `node dist/set_state.js <uuid> <attribute> <value>` ... "Turn off" -> `node dist/set_state.js <uuid> standby true` ... "Max speed" -> `node dist/set_state.js <uuid> fanspeed 3`
Only approve device changes you understand, and ask the agent to summarize exactly which purifier and setting it will change before it runs the command.
Installing dependencies runs the normal npm supply chain for this package, which is outside the skill text itself.
The skill's own metadata says it needs npm dependencies and local configuration, while the registry install specification is absent. The package includes package.json/package-lock.json, so this is a disclosed setup step, not hidden execution.
install_steps:
- "npm install"
- "Create ~/.blueair/config.json"Review package.json/package-lock.json before running npm install, and install in a normal user account rather than with elevated privileges.