Control Ecovacs robot vacuums (DEEBOT series) via the official Ecovacs MCP server — start/stop/pause cleaning, send the robot to its dock, check battery and...
Security Analysis
high confidenceThe skill's requests (ECO_API_KEY, uvx/python3) and runtime instructions line up with its stated purpose of controlling Ecovacs DEEBOT devices via the official MCP server; nothing in the package requests unrelated credentials or tries to install arbitrary binaries.
Name/description, required env var (ECO_API_KEY), and required binaries (uvx or python3 + ecovacs-robot-mcp) are coherent with a skill that proxies commands to the official Ecovacs MCP server. The primary credential (ECO_API_KEY) is appropriate and expected for this integration.
SKILL.md stays within the stated scope (discover devices, call get_device_list, start/stop/pause, query status) and does not instruct reading unrelated files or exfiltrating data. One operational note: the doc repeatedly instructs the agent to 'use this skill whenever the user mentions their robot vacuum — even if they don't say "Ecovacs" explicitly', which is broad and could cause frequent autonomous invocation. Also it suggests caching nicknames for the session (normal but means device identifiers will be stored in session context).
This is an instruction-only skill with no install spec and no archives/downloads. It only recommends installing uvx or the ecovacs-robot-mcp Python package via pip; that is low-risk and expected.
Only ECO_API_KEY is required/declared as the primary credential; that matches the described functionality. No unrelated secrets, config paths, or multiple external credentials are requested.
The skill is not marked always:true (good). It is set user-invocable: false but model invocation is allowed (disable-model-invocation: false), so the agent can autonomously invoke it; combined with the instruction to trigger on implicit mentions, this may lead to the skill being invoked whenever vacuum-related phrases appear. This is a design/behavioral choice rather than a direct security mismatch, but users should be aware.
Guidance
This skill appears to do what it claims: it needs your Ecovacs API key and either uvx or the Python MCP package to call the official MCP server. Before installing, verify you trust the skill source (README/_meta reference a GitHub repo; confirm that repo is legitimate). If you proceed: provide a dedicated API key tied to the Ecovacs account you want the assistant to control, avoid placing other unrelated secrets in the same environment, and be aware the agent may autonomously invoke the skill when vacuum-related language appears (you may want to restrict or monitor autonomous actions). If you later remove the skill, rotate or revoke the API key. Minor metadata inconsistencies (package version and source labels) exist in the files — not inherently dangerous but worth checking the upstream repo for authenticity.
Latest Release
v1.0.0
Initial release of Ecovacs robot vacuum control via the official MCP server. - Adds support for controlling DEEBOT (Ecovacs) robots: start/stop/pause cleaning, send to dock, check battery/status, and list devices. - Integrates with the Ecovacs MCP server using an API key. - Uses fuzzy nickname matching for device selection. - Provides real-time status reports (cleaning, charging, station state). - Designed for seamless natural language triggers (e.g., “vacuum,” “send it home,” “is it charging?”).
Popular Skills
Published by @f-liva on ClawHub
