← 返回 Skills 市场
701
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install nest-sdm
功能描述
Control Nest thermostat, doorbell, and cameras via the Google Smart Device Management (SDM) API.
安全使用建议
This skill appears to do what it says (control Nest and forward events), but the bundled scripts read and create token files and may pull credentials from places you might not expect (your ~/.zshenv and any local gcloud auth). Before installing or running: (1) Inspect the token files and avoid placing other secrets in ~/.openclaw/workspace or your shell rc; (2) Prefer creating dedicated OAuth credentials and a dedicated GCP project with least-privilege scopes; (3) Don't store long-lived unrelated secrets in .zshenv — the script will try to read it; (4) Consider running the scripts in an isolated environment (container or restricted user) and verify TELEGRAM_BOT_TOKEN/CHAT_ID are set explicitly rather than relying on automatic discovery; (5) If you don't want event forwarding, avoid running nest-events.sh or remove the Telegram forwarding sections. If you're unsure, test in a disposable account/project first.
功能分析
Type: OpenClaw Skill
Name: nest-sdm
Version: 1.0.0
The skill is classified as suspicious due to several shell/JSON injection vulnerabilities found in `nest-events.sh` and `nest-sdm.sh`. User-controlled input (e.g., device names, thermostat settings, raw API body) is directly interpolated into `python3 -c` strings and `curl -d` JSON payloads without robust sanitization. This could allow an attacker to craft malicious input to perform unintended API actions or potentially execute arbitrary commands. For example, `nest-sdm.sh`'s `cmd_api` function directly passes user-supplied JSON to the API, and `nest-events.sh`'s `send_telegram_alert` and `format_event_alert` functions are vulnerable to Python string injection if input contains specific quote characters. While these are significant vulnerabilities, there is no clear evidence of intentional malicious behavior such as data exfiltration to unauthorized endpoints, persistence, or obfuscation; all network calls are to legitimate Google and Telegram APIs for the skill's stated purpose.
能力评估
Purpose & Capability
The name/description (Nest SDM control and event forwarding) aligns with the included scripts and SKILL.md: OAuth tokens, SDM API calls, and Pub/Sub event handling are expected for this use case. Required binaries (curl, python3) are proportional. However, the registry metadata declares no required env vars while the scripts clearly read several environment variables and token files — this declaration mismatch is noteworthy.
Instruction Scope
SKILL.md and the scripts instruct the agent to read and write token files under ~/.openclaw/workspace, run OAuth exchanges, poll Google Pub/Sub, and forward events to Telegram. The nest-events.sh script additionally attempts to parse $HOME/.zshenv for TELEGRAM_* variables and falls back to invoking a local gcloud binary to obtain access tokens. Those actions expand scope beyond simple SDM API calls because they read arbitrary shell config and reuse any existing gcloud credentials on the host.
Install Mechanism
This is an instruction-only skill with no installer; there is no network-downloaded code at install time. Code files are bundled with the skill (shell scripts), so nothing is fetched or executed automatically beyond what the scripts do when run.
Credentials
The skill legitimately needs OAuth client_id/client_secret/refresh_token and (optionally) Pub/Sub tokens and a Telegram bot token to operate. However: the registry lists no required env vars while the scripts expect NEST_SDM_TOKENS, NEST_PUBSUB_TOKENS, TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, GCP_PROJECT and more. The script's behavior of scanning ~/.zshenv for TELEGRAM_* and using gcloud to fetch tokens can access unrelated secrets/credentials on the host — this is disproportionate unless explicitly documented and consented to.
Persistence & Privilege
The skill does not request always:true and does not modify other skill configs. It can be run as a daemon (listen) which is expected for event forwarding, and autonomous invocation is allowed by default (platform normal). No elevated system persistence or cross-skill configuration changes are requested by the code.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install nest-sdm - 安装完成后,直接呼叫该 Skill 的名称或使用
/nest-sdm触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial publish
元数据
常见问题
Nest SDM 是什么?
Control Nest thermostat, doorbell, and cameras via the Google Smart Device Management (SDM) API. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 701 次。
如何安装 Nest SDM?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install nest-sdm」即可一键安装,无需额外配置。
Nest SDM 是免费的吗?
是的,Nest SDM 完全免费(开源免费),可自由下载、安装和使用。
Nest SDM 支持哪些平台?
Nest SDM 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Nest SDM?
由 Tag(@tag-assistant)开发并维护,当前版本 v1.0.0。
推荐 Skills