← Back to Skills Marketplace
regenrek

Samsung Smartthings

by regenrek · GitHub ↗ · v0.0.1
cross-platform ⚠ suspicious
2054
Downloads
2
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install samsung-smartthings
Description
Control Samsung TVs via SmartThings (OAuth app + device control).
Usage Guidance
Things to consider before installing: - Metadata mismatch: The registry shows no required binaries or env vars, but the SKILL.md/script expect python3 and the SmartThings CLI (or npx) and optionally a SMARTTHINGS_TOKEN/PAT. Double-check you can provide the PAT and have the required tooling. - Default redirect leaks the auth code: The script defaults to redirecting to https://httpbin.org/get to let you see the code in a browser. That sends the authorization code to a third-party service (httpbin.org). If you care about privacy or security, override --redirect-uri to a URI you control (or use the console-based app creation flow). - npx runtime fetch: If you don't have a local smartthings binary, the script will run 'npx -y @smartthings/cli' which fetches and executes a package from the npm registry at runtime. If you prefer, install the official SmartThings CLI beforehand from a trusted source to avoid dynamic fetch. - Secrets storage: The script writes client id/secret and access/refresh tokens to ~/.clawdbot/.env (or CLAWDBOT_STATE_DIR/.env) and attempts to set mode 600. Inspect that file and protect it; consider using a dedicated secure secret store if needed. - Review before running: Read the bundled scripts (setup_smartthings.py) and consider running the commands manually or in a controlled environment the first time. If anything about the redirect URI, PAT handling, or CLI invocation makes you uncomfortable, do not run the script until you can safely provide an alternate redirect URI and a vetted CLI installation. Overall: the skill appears to implement its stated function, but the httpbin default redirect and runtime npx execution are notable risks and the published metadata is inconsistent with the actual requirements. If you proceed, correct the redirect URI and install/verify the SmartThings CLI yourself rather than relying on npx.
Capability Analysis
Type: OpenClaw Skill Name: samsung-smartthings Version: 0.0.1 The skill is classified as suspicious due to several risky capabilities, despite aligning with its stated purpose. It requests broad SmartThings OAuth scopes (`r:devices:*`, `x:devices:*`) granting extensive control over devices. The `scripts/setup_smartthings.py` script dynamically executes remote code by using `npx -y @smartthings/cli` to install and run the SmartThings CLI. Additionally, the default OAuth redirect URI is set to `https://httpbin.org/get`, which, during the manual user authentication flow, could expose the authorization code in a third-party service's logs, even though the script itself does not exfiltrate this code.
Capability Assessment
Purpose & Capability
The skill's behavior (provision an OAuth app, exchange code, store client id/secret and tokens, call the SmartThings CLI to control devices) is coherent with the described purpose. However registry metadata lists no required binaries or env vars while SKILL.md (and the script) rely on python3, the SmartThings CLI (or npx), and the optional SMARTTHINGS_TOKEN / SMARTTHINGS_PAT PAT. That mismatch between the published metadata and the runtime instructions is an inconsistency that could confuse users.
Instruction Scope
The SKILL.md and script ask to create an OAuth app and write secrets (SMARTTHINGS_CLIENT_SECRET, tokens) into ~/.clawdbot/.env — this is expected for the task. However the default OAuth redirect URI is https://httpbin.org/get which will send the authorization code to a third-party service (httpbin.org) by default; that leaks the code to an external endpoint unless the user overrides the redirect URI. The script also invokes the SmartThings CLI (via subprocess), which runs external code/commands on the host. The instructions do not request unrelated files or credentials beyond SmartThings-related tokens.
Install Mechanism
This is an instruction-only skill with a bundled Python script, so there's no packaged installer — good. But the script will invoke the SmartThings CLI via either an installed 'smartthings' binary or 'npx -y @smartthings/cli'. Using npx -y causes automatic fetching and execution of code from the npm registry at runtime, which is a higher-risk dynamic install step. SKILL.md metadata also suggests brew installs for python/node, but the registry install metadata does not declare those — another inconsistency.
Credentials
The script legitimately needs SmartThings credentials: a PAT (SMARTTHINGS_TOKEN / SMARTTHINGS_PAT) to create the OAuth app headlessly, and it writes SMARTTHINGS_APP_ID, SMARTTHINGS_CLIENT_ID, SMARTTHINGS_CLIENT_SECRET and token values to the user's CLAWDBOT state dir. These environment accesses are proportional to the described capability. The skill does not request unrelated credentials, but the registry metadata claims no required env vars while the runtime requires a PAT — the mismatch is noteworthy.
Persistence & Privilege
The skill does not request always:true and will only run when invoked. It writes credentials into a single file under the user's state directory (~/.clawdbot/.env or CLAWDBOT_STATE_DIR), which is expected for storing API credentials. It does not request system-wide privileges or modify other skills' configurations.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install samsung-smartthings
  3. After installation, invoke the skill by name or use /samsung-smartthings
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.0.1
Control Samsung TVs via SmartThings (OAuth app + device control).
Metadata
Slug samsung-smartthings
Version 0.0.1
License
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is Samsung Smartthings?

Control Samsung TVs via SmartThings (OAuth app + device control). It is an AI Agent Skill for Claude Code / OpenClaw, with 2054 downloads so far.

How do I install Samsung Smartthings?

Run "/install samsung-smartthings" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Samsung Smartthings free?

Yes, Samsung Smartthings is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Samsung Smartthings support?

Samsung Smartthings is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Samsung Smartthings?

It is built and maintained by regenrek (@regenrek); the current version is v0.0.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments