Skylight
AdvisoryAudited by Static analysis on May 8, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to these environment variables or tokens could access or change data in the user's Skylight household account.
The skill uses Skylight account credentials or a full authorization token and requests a broad OAuth scope. This is expected for managing the account via the unofficial API, but it gives the agent sensitive delegated access.
`Plain env: SKYLIGHT_EMAIL, SKYLIGHT_PASSWORD` ... `SKYLIGHT_TOKEN`: Full Authorization header value ... `scope everything`
Use only your own account, keep tokens out of logs, rotate exposed credentials, keep `SKYLIGHT_URL` pointed at the official Skylight domain unless you intentionally know otherwise, and restrict any 1Password service-account token to the minimum vault/item needed.
If invoked incorrectly, the agent could add or modify chores, tasks, lists, events, or related household items.
The skill documents direct API write operations, such as creating chores and task-box items. These operations are aligned with the stated purpose but can change household data.
`curl -s -X POST "$SKYLIGHT_URL/api/frames/$SKYLIGHT_FRAME_ID/chores"`
Review write operations before allowing them, especially bulk or recurring changes, and prefer explicit user confirmation for creates, updates, deletes, or reward-related actions.
The API behavior could change unexpectedly, and users rely on the skill author's reverse-engineered flow for authentication and account operations.
The integration depends on an unofficial API rather than a documented vendor-supported interface. This is disclosed and not inherently malicious, but users should understand the provenance and support limitations.
This skill uses an **unofficial, reverse-engineered API**. It is not affiliated with or endorsed by Skylight.
Verify the package source and maintainer before installing, monitor for API/authentication failures, and avoid granting credentials if you are not comfortable using an unofficial integration.