← 返回 Skills 市场
2421
总下载
0
收藏
5
当前安装
5
版本数
在 OpenClaw 中安装
/install nest-devices
功能描述
Control Nest smart home devices (thermostat, cameras, doorbell) via the Device Access API. Use when asked to check or adjust home temperature, view camera feeds, check who's at the door, monitor rooms, or set up temperature schedules.
安全使用建议
This skill mostly does what it says (Nest control + webhook), but there are important red flags to check before installing:
- Expect to provide sensitive credentials: Nest OAuth client_id/client_secret/refresh_token (or equivalent 1Password item and OP service account token). The registry metadata omitted these — do not assume none are needed.
- Review and restrict any CLAWDBOT_GATEWAY_URL and CLAWDBOT_HOOKS_TOKEN usage. The webhook will POST events (including potentially images) to GATEWAY_URL/hook with the token. Only point this at a gateway you control and keep the token secret.
- The webhook can send images to Telegram if TELEGRAM_BOT_TOKEN/CHAT_ID are set. If you don't want images leaving your network, omit Telegram and/or run the webhook on an isolated host.
- The SKILL.md instructs creating systemd services and a cloudflared tunnel — these create persistent network exposure. Prefer running the webhook in a dedicated, network-isolated VM or container and verify the cloudflared binary and its credentials come from the official release.
- The code invokes local binaries ('op', 'ffmpeg') via subprocess. Verify you trust those binaries and their locations; supply credentials via environment variables instead of broad 1Password service-account tokens where possible.
- If you must install, audit the included scripts (nest.py and nest-webhook.py) yourself, and update the registry metadata to reflect required env vars so future users are not surprised.
If you are not comfortable granting any of the listed tokens or creating persistent services and tunnels, do not install. If you proceed, limit tokens' scopes, run in isolation, and review outgoing endpoints (Telegram and any gateway) carefully.
功能分析
Type: OpenClaw Skill
Name: nest-devices
Version: 2.0.1
This skill is classified as suspicious due to the presence of several high-risk capabilities, even though they are documented and appear to align with the stated purpose. Key indicators include the `SKILL.md` instructing the download and execution of an external binary (`cloudflared` from GitHub), the setup of systemd services for persistence of the webhook and tunnel, and the use of `subprocess.run` in `scripts/nest-webhook.py` and `scripts/nest.py` to execute `ffmpeg` (for image capture) and the `op` CLI (for 1Password credential retrieval). Additionally, `scripts/nest-webhook.py` sends images and messages containing event data to `api.telegram.org` for alerts, which, while user-configured, represents data exfiltration to an external endpoint.
能力评估
Purpose & Capability
The skill claims to control Nest devices and the included Python client (scripts/nest.py) and webhook (scripts/nest-webhook.py) implement that. However the registry metadata lists no required environment variables or primary credential while the SKILL.md and code clearly require Nest OAuth credentials (project_id, client_id, client_secret, refresh_token), optional 1Password service account token(s), Telegram tokens, and a Clawdbot hooks token. That metadata omission is an inconsistency the user should be aware of.
Instruction Scope
SKILL.md instructs the agent/user to run OAuth flows, configure 1Password access, create a Cloud Pub/Sub topic, install and run a Cloudflare tunnel, add a systemd service for a local webhook, and enable 'Clawdbot Hooks' in a global clawdbot.json. The webhook code reads secrets (1Password/op or env vars), captures camera snapshots (via SDM APIs or RTSP + ffmpeg), sends images to Telegram, and POSTs event summaries to a GATEWAY_URL/hook endpoint with an Authorization header. These operations go beyond a simple device client and require persistent services and changing global agent configuration — appropriate for webhook functionality but wider in scope and with potential for data exfiltration if misconfigured.
Install Mechanism
There is no formal install spec, but SKILL.md shows an explicit curl download of cloudflared from the project's GitHub releases (reasonable source) and instructions to create systemd services. The skill will call external binaries (op, ffmpeg, cloudflared) via subprocess; those are expected for the described behavior but mean the runtime depends on locally-installed third-party tools.
Credentials
The code and docs require multiple sensitive values: Nest OAuth credentials (client_secret and refresh token), an OP service account token (OP_SERVICE_ACCOUNT_TOKEN or OP_TOKEN_*), an optional TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID, and a CLAWDBOT_HOOKS_TOKEN + CLAWDBOT_GATEWAY_URL. Nest credentials are necessary for the API, and 1Password access is a reasonable convenience, but the Clawdbot hook and gateway token give the skill the ability to POST events to an external gateway (potential exfiltration vector) and the registry metadata does not declare these requirements — a mismatch and risk.
Persistence & Privilege
The skill asks users to create a persistent systemd service and a Cloudflare tunnel to expose a local webhook, and to enable global 'clawdbot' hooks in clawdbot.json. While persistence is needed for real-time events, writing global clawdbot config and running a long-lived service increases the blast radius if credentials or webhook endpoints are misused. The skill is not marked always:true, but its instructions result in persistent, autonomous behavior.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install nest-devices - 安装完成后,直接呼叫该 Skill 的名称或使用
/nest-devices触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.0.1
Rename OP_TOKEN_ANDREW to generic OP_SVC_ACCT_TOKEN
v2.0.0
Major fix: Pub/Sub push delivery, staleness filter (5min), alert filtering (doorbell+person only), env var documentation, IAM setup, end-to-end testing notes
v1.2.0
Fix Pub/Sub IAM binding (use sdm-prod service account). Rewrite webhook: use GenerateImage API instead of RTSP for faster doorbell snapshots. Direct Telegram delivery bypassing agent hook roundtrip. RTSP fallback. Add PYTHONUNBUFFERED to systemd service. Credential caching for faster response.
v1.1.0
Added real-time events setup: Pub/Sub, webhook server, Cloudflare tunnel, systemd services
v1.0.0
Initial release: thermostat control, camera live streams via Google Device Access API
元数据
常见问题
Nest Devices 是什么?
Control Nest smart home devices (thermostat, cameras, doorbell) via the Device Access API. Use when asked to check or adjust home temperature, view camera feeds, check who's at the door, monitor rooms, or set up temperature schedules. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2421 次。
如何安装 Nest Devices?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install nest-devices」即可一键安装,无需额外配置。
Nest Devices 是免费的吗?
是的,Nest Devices 完全免费(开源免费),可自由下载、安装和使用。
Nest Devices 支持哪些平台?
Nest Devices 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Nest Devices?
由 amogower(@amogower)开发并维护,当前版本 v2.0.1。
推荐 Skills