Scan Report
5 /100
tradfri-lights
Control IKEA TRÅDFRI lights and groups through a local TRÅDFRI gateway using node-tradfri-client
A legitimate smart home control skill for IKEA TRÅDFRI lights with no malicious indicators - all capabilities are documented, no credential exfiltration, no shell execution, and network access is restricted to the local gateway.
Safe to install
This skill is safe to use. No action required.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Missing package.json Supply Chain | scripts/tradfri.js:1 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | Only reads config.json for gateway credentials |
| Network | READ | READ | ✓ Aligned | Only connects to local TRÅDFRI gateway via node-tradfri-client |
| Shell | NONE | NONE | — | No shell commands or subprocess calls in code |
| Environment | NONE | READ | ✓ Aligned | Reads TRADFRI_* env vars for gateway credentials; documented in SKILL.md |
File Tree
4 files · 22.6 KB · 623 lines JavaScript 1f · 449L
Markdown 2f · 169L
JSON 1f · 5L
├─
▾
references
│ └─
setup.md
Markdown
├─
▾
scripts
│ └─
tradfri.js
JavaScript
├─
config.json
⚠
JSON
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
node-tradfri-client | * | npm | No | Version not pinned - no package.json present |
Security Positives
✓ No credential exfiltration - gateway credentials only used for local authentication
✓ No shell command execution or subprocess calls
✓ No external network connections beyond local TRÅDFRI gateway
✓ No obfuscation, base64 encoding, or hidden execution paths
✓ Documentation fully matches implemented functionality
✓ No sensitive path access (no ~/.ssh, ~/.aws, .env reading)
✓ Clean error handling with no silent failures
✓ Credentials are local-only, not transmitted externally