Control Tuya smart home devices via natural language. Use when the user asks to control smart devices (turn on/off lights, AC, plugs, adjust brightness/tempe...
Security Analysis
high confidenceThe skill's code, instructions, and required TUYA_API_KEY align with its stated purpose of controlling Tuya devices and subscribing to device events; nothing requests unrelated secrets or system access.
Name/description match the contained artifacts: a REST API wrapper (tuya_api.py) and a WebSocket message client (tuya_device_mq_client.py). The single required environment variable is TUYA_API_KEY, which is exactly what a Tuya integration needs. Declared pip dependencies (requests, websockets) are appropriate.
SKILL.md instructs the agent to run the included CLI/SDK and to subscribe to device events. Those instructions stay within the stated domain (device queries, control, notifications, IPC capture). Important behavior to be aware of: the skill supports IPC camera cloud capture and can return decrypted media URLs (sensitive content) and can send SMS/voice/email/push to the account's bound contacts. The docs require user privacy consent for decrypted IPC URLs and note the WebSocket client is server-side only.
No external download/install spec is provided (instruction-only install); files include a requirements.txt for standard pip packages. There are no obscure remote URLs or extracted archives in the manifest. Installing dependencies (requests, websockets) is the expected minimal requirement.
Only TUYA_API_KEY is required and is declared as the primary credential. An optional TUYA_BASE_URL may be read if provided. No other secrets, config paths, or unrelated credentials are requested.
always is false and the skill does not request elevated platform privileges. It includes a WebSocket client that can run continually server-side (expected for real-time subscriptions) but does not modify other skills or system-wide settings.
Guidance
This skill appears to implement a legitimate Tuya integration and only asks for TUYA_API_KEY, which is appropriate. Before installing, consider: 1) The skill can control devices, send SMS/voice/email/push to your account, and capture camera snapshots (including decrypted URLs) — only enable it if you trust the source and understand these capabilities. 2) Run it on a trusted server (the WebSocket client is server-side only) and do not expose the API key to frontends. 3) Use a Tuya API key with the minimum necessary permissions and be prepared to rotate/revoke the key if anything looks suspicious. 4) Because the skill's published source/homepage is absent in registry metadata, review the included scripts yourself (tuya_api.py and tuya_device_mq_client.py) or obtain the official SDK from Tuya's official repo before use.
Latest Release
v1.0.4
**1.0.4 Summary: Adds real-time device event monitoring and messaging via WebSocket.** - Introduced real-time device message subscription over WebSocket through a new client (`tuya_device_mq_client.py`), allowing live monitoring of device property/status changes. - Expanded documentation (`SKILL.md` and new `references/device-message.md`) to cover usage, configuration, and data center mapping for event subscription. - Updated dependencies: now requires `websockets>=12.0` in addition to previous packages. - The `description` now mentions real-time event monitoring and WebSocket support. - No changes to existing REST API or device control flows; all features remain compatible.
Popular Skills
Published by @gaosq856 on ClawHub
