← 返回 Skills 市场
2054
总下载
2
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install samsung-smartthings
功能描述
Control Samsung TVs via SmartThings (OAuth app + device control).
安全使用建议
Things to consider before installing:
- Metadata mismatch: The registry shows no required binaries or env vars, but the SKILL.md/script expect python3 and the SmartThings CLI (or npx) and optionally a SMARTTHINGS_TOKEN/PAT. Double-check you can provide the PAT and have the required tooling.
- Default redirect leaks the auth code: The script defaults to redirecting to https://httpbin.org/get to let you see the code in a browser. That sends the authorization code to a third-party service (httpbin.org). If you care about privacy or security, override --redirect-uri to a URI you control (or use the console-based app creation flow).
- npx runtime fetch: If you don't have a local smartthings binary, the script will run 'npx -y @smartthings/cli' which fetches and executes a package from the npm registry at runtime. If you prefer, install the official SmartThings CLI beforehand from a trusted source to avoid dynamic fetch.
- Secrets storage: The script writes client id/secret and access/refresh tokens to ~/.clawdbot/.env (or CLAWDBOT_STATE_DIR/.env) and attempts to set mode 600. Inspect that file and protect it; consider using a dedicated secure secret store if needed.
- Review before running: Read the bundled scripts (setup_smartthings.py) and consider running the commands manually or in a controlled environment the first time. If anything about the redirect URI, PAT handling, or CLI invocation makes you uncomfortable, do not run the script until you can safely provide an alternate redirect URI and a vetted CLI installation.
Overall: the skill appears to implement its stated function, but the httpbin default redirect and runtime npx execution are notable risks and the published metadata is inconsistent with the actual requirements. If you proceed, correct the redirect URI and install/verify the SmartThings CLI yourself rather than relying on npx.
功能分析
Type: OpenClaw Skill
Name: samsung-smartthings
Version: 0.0.1
The skill is classified as suspicious due to several risky capabilities, despite aligning with its stated purpose. It requests broad SmartThings OAuth scopes (`r:devices:*`, `x:devices:*`) granting extensive control over devices. The `scripts/setup_smartthings.py` script dynamically executes remote code by using `npx -y @smartthings/cli` to install and run the SmartThings CLI. Additionally, the default OAuth redirect URI is set to `https://httpbin.org/get`, which, during the manual user authentication flow, could expose the authorization code in a third-party service's logs, even though the script itself does not exfiltrate this code.
能力评估
Purpose & Capability
The skill's behavior (provision an OAuth app, exchange code, store client id/secret and tokens, call the SmartThings CLI to control devices) is coherent with the described purpose. However registry metadata lists no required binaries or env vars while SKILL.md (and the script) rely on python3, the SmartThings CLI (or npx), and the optional SMARTTHINGS_TOKEN / SMARTTHINGS_PAT PAT. That mismatch between the published metadata and the runtime instructions is an inconsistency that could confuse users.
Instruction Scope
The SKILL.md and script ask to create an OAuth app and write secrets (SMARTTHINGS_CLIENT_SECRET, tokens) into ~/.clawdbot/.env — this is expected for the task. However the default OAuth redirect URI is https://httpbin.org/get which will send the authorization code to a third-party service (httpbin.org) by default; that leaks the code to an external endpoint unless the user overrides the redirect URI. The script also invokes the SmartThings CLI (via subprocess), which runs external code/commands on the host. The instructions do not request unrelated files or credentials beyond SmartThings-related tokens.
Install Mechanism
This is an instruction-only skill with a bundled Python script, so there's no packaged installer — good. But the script will invoke the SmartThings CLI via either an installed 'smartthings' binary or 'npx -y @smartthings/cli'. Using npx -y causes automatic fetching and execution of code from the npm registry at runtime, which is a higher-risk dynamic install step. SKILL.md metadata also suggests brew installs for python/node, but the registry install metadata does not declare those — another inconsistency.
Credentials
The script legitimately needs SmartThings credentials: a PAT (SMARTTHINGS_TOKEN / SMARTTHINGS_PAT) to create the OAuth app headlessly, and it writes SMARTTHINGS_APP_ID, SMARTTHINGS_CLIENT_ID, SMARTTHINGS_CLIENT_SECRET and token values to the user's CLAWDBOT state dir. These environment accesses are proportional to the described capability. The skill does not request unrelated credentials, but the registry metadata claims no required env vars while the runtime requires a PAT — the mismatch is noteworthy.
Persistence & Privilege
The skill does not request always:true and will only run when invoked. It writes credentials into a single file under the user's state directory (~/.clawdbot/.env or CLAWDBOT_STATE_DIR), which is expected for storing API credentials. It does not request system-wide privileges or modify other skills' configurations.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install samsung-smartthings - 安装完成后,直接呼叫该 Skill 的名称或使用
/samsung-smartthings触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.0.1
Control Samsung TVs via SmartThings (OAuth app + device control).
元数据
常见问题
Samsung Smartthings 是什么?
Control Samsung TVs via SmartThings (OAuth app + device control). 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2054 次。
如何安装 Samsung Smartthings?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install samsung-smartthings」即可一键安装,无需额外配置。
Samsung Smartthings 是免费的吗?
是的,Samsung Smartthings 完全免费(开源免费),可自由下载、安装和使用。
Samsung Smartthings 支持哪些平台?
Samsung Smartthings 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Samsung Smartthings?
由 regenrek(@regenrek)开发并维护,当前版本 v0.0.1。
推荐 Skills