ClawAudit verdict
Shelly BluTRV Manager
shelly-blutrv-manager
The skill appears to be a manager for Shelly BluTRV thermostats and does not contain any malicious code.
⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Findings (3)
HTTP request to bare IP address — common in malicious payloads
SKILL.md · code · http://192.168.0.101
Opens WebSocket connection
SKILL.md · prose · downgraded · WebSocket
Popular HTTP library — network access
scripts/blutrv-control.sh · prose · downgraded · got
Permissions & capabilities
Requires 4 environment variables. (1 sensitive: SHELLY_CLOUD_TOKEN). Requires 3 system binaries. (1 elevated: curl).
network_outnetwork_in Is this flag fair?
Thanks — recorded.