← Back to Skills Marketplace
2421
Downloads
0
Stars
5
Active Installs
5
Versions
Install in OpenClaw
/install nest-devices
Description
Control Nest smart home devices (thermostat, cameras, doorbell) via the Device Access API. Use when asked to check or adjust home temperature, view camera feeds, check who's at the door, monitor rooms, or set up temperature schedules.
Usage Guidance
This skill mostly does what it says (Nest control + webhook), but there are important red flags to check before installing:
- Expect to provide sensitive credentials: Nest OAuth client_id/client_secret/refresh_token (or equivalent 1Password item and OP service account token). The registry metadata omitted these — do not assume none are needed.
- Review and restrict any CLAWDBOT_GATEWAY_URL and CLAWDBOT_HOOKS_TOKEN usage. The webhook will POST events (including potentially images) to GATEWAY_URL/hook with the token. Only point this at a gateway you control and keep the token secret.
- The webhook can send images to Telegram if TELEGRAM_BOT_TOKEN/CHAT_ID are set. If you don't want images leaving your network, omit Telegram and/or run the webhook on an isolated host.
- The SKILL.md instructs creating systemd services and a cloudflared tunnel — these create persistent network exposure. Prefer running the webhook in a dedicated, network-isolated VM or container and verify the cloudflared binary and its credentials come from the official release.
- The code invokes local binaries ('op', 'ffmpeg') via subprocess. Verify you trust those binaries and their locations; supply credentials via environment variables instead of broad 1Password service-account tokens where possible.
- If you must install, audit the included scripts (nest.py and nest-webhook.py) yourself, and update the registry metadata to reflect required env vars so future users are not surprised.
If you are not comfortable granting any of the listed tokens or creating persistent services and tunnels, do not install. If you proceed, limit tokens' scopes, run in isolation, and review outgoing endpoints (Telegram and any gateway) carefully.
Capability Analysis
Type: OpenClaw Skill
Name: nest-devices
Version: 2.0.1
This skill is classified as suspicious due to the presence of several high-risk capabilities, even though they are documented and appear to align with the stated purpose. Key indicators include the `SKILL.md` instructing the download and execution of an external binary (`cloudflared` from GitHub), the setup of systemd services for persistence of the webhook and tunnel, and the use of `subprocess.run` in `scripts/nest-webhook.py` and `scripts/nest.py` to execute `ffmpeg` (for image capture) and the `op` CLI (for 1Password credential retrieval). Additionally, `scripts/nest-webhook.py` sends images and messages containing event data to `api.telegram.org` for alerts, which, while user-configured, represents data exfiltration to an external endpoint.
Capability Assessment
Purpose & Capability
The skill claims to control Nest devices and the included Python client (scripts/nest.py) and webhook (scripts/nest-webhook.py) implement that. However the registry metadata lists no required environment variables or primary credential while the SKILL.md and code clearly require Nest OAuth credentials (project_id, client_id, client_secret, refresh_token), optional 1Password service account token(s), Telegram tokens, and a Clawdbot hooks token. That metadata omission is an inconsistency the user should be aware of.
Instruction Scope
SKILL.md instructs the agent/user to run OAuth flows, configure 1Password access, create a Cloud Pub/Sub topic, install and run a Cloudflare tunnel, add a systemd service for a local webhook, and enable 'Clawdbot Hooks' in a global clawdbot.json. The webhook code reads secrets (1Password/op or env vars), captures camera snapshots (via SDM APIs or RTSP + ffmpeg), sends images to Telegram, and POSTs event summaries to a GATEWAY_URL/hook endpoint with an Authorization header. These operations go beyond a simple device client and require persistent services and changing global agent configuration — appropriate for webhook functionality but wider in scope and with potential for data exfiltration if misconfigured.
Install Mechanism
There is no formal install spec, but SKILL.md shows an explicit curl download of cloudflared from the project's GitHub releases (reasonable source) and instructions to create systemd services. The skill will call external binaries (op, ffmpeg, cloudflared) via subprocess; those are expected for the described behavior but mean the runtime depends on locally-installed third-party tools.
Credentials
The code and docs require multiple sensitive values: Nest OAuth credentials (client_secret and refresh token), an OP service account token (OP_SERVICE_ACCOUNT_TOKEN or OP_TOKEN_*), an optional TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID, and a CLAWDBOT_HOOKS_TOKEN + CLAWDBOT_GATEWAY_URL. Nest credentials are necessary for the API, and 1Password access is a reasonable convenience, but the Clawdbot hook and gateway token give the skill the ability to POST events to an external gateway (potential exfiltration vector) and the registry metadata does not declare these requirements — a mismatch and risk.
Persistence & Privilege
The skill asks users to create a persistent systemd service and a Cloudflare tunnel to expose a local webhook, and to enable global 'clawdbot' hooks in clawdbot.json. While persistence is needed for real-time events, writing global clawdbot config and running a long-lived service increases the blast radius if credentials or webhook endpoints are misused. The skill is not marked always:true, but its instructions result in persistent, autonomous behavior.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install nest-devices - After installation, invoke the skill by name or use
/nest-devices - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.0.1
Rename OP_TOKEN_ANDREW to generic OP_SVC_ACCT_TOKEN
v2.0.0
Major fix: Pub/Sub push delivery, staleness filter (5min), alert filtering (doorbell+person only), env var documentation, IAM setup, end-to-end testing notes
v1.2.0
Fix Pub/Sub IAM binding (use sdm-prod service account). Rewrite webhook: use GenerateImage API instead of RTSP for faster doorbell snapshots. Direct Telegram delivery bypassing agent hook roundtrip. RTSP fallback. Add PYTHONUNBUFFERED to systemd service. Credential caching for faster response.
v1.1.0
Added real-time events setup: Pub/Sub, webhook server, Cloudflare tunnel, systemd services
v1.0.0
Initial release: thermostat control, camera live streams via Google Device Access API
Metadata
Frequently Asked Questions
What is Nest Devices?
Control Nest smart home devices (thermostat, cameras, doorbell) via the Device Access API. Use when asked to check or adjust home temperature, view camera feeds, check who's at the door, monitor rooms, or set up temperature schedules. It is an AI Agent Skill for Claude Code / OpenClaw, with 2421 downloads so far.
How do I install Nest Devices?
Run "/install nest-devices" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Nest Devices free?
Yes, Nest Devices is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Nest Devices support?
Nest Devices is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Nest Devices?
It is built and maintained by amogower (@amogower); the current version is v2.0.1.
More Skills