Skills
skills/sundial-org/awesome-openclaw-skills/samsung-smart-tv/Gen Agent Trust Hub

samsung-smart-tv

Warn

Audited by Gen Agent Trust Hub on Mar 21, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/setup_smartthings.py executes the SmartThings CLI using subprocess.run to manage OAuth applications and query device lists.
  • [EXTERNAL_DOWNLOADS]: The skill fetches the @smartthings/cli package from the npm registry at runtime using npx if the command is not natively present on the system.
  • [CREDENTIALS_UNSAFE]: The script provides the Personal Access Token (PAT) to the CLI via the --token command-line argument. This allows the secret to be visible to other users or monitoring processes on the same host through the process table.
  • [DATA_EXFILTRATION]: The default OAuth redirect URI is configured as https://httpbin.org/get. This configuration transmits sensitive authorization codes to an external third-party debugging service.
  • [PROMPT_INJECTION]: The skill ingests and parses JSON data from external CLI tool outputs which could be susceptible to manipulation if the local environment is compromised.
  • Ingestion points: scripts/setup_smartthings.py parses output from smartthings CLI commands.
  • Boundary markers: None present.
  • Capability inventory: The skill can execute subprocesses and write secrets to the local ~/.clawdbot/.env file.
  • Sanitization: No specific validation or sanitization of CLI output is performed prior to processing.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 21, 2026, 01:00 PM