Is falderebet/dirigera-control safe?

The SKILL.md frontmatter description closes with 'Accessible via Cloudflare tunnel on VPS'. This indicates the skill author's intended deployment architecture routes hub access through an external VPS. While no script in this version explicitly connects to the VPS, this description primes users and agents to treat external routing as normal. Any future update that adds VPS connectivity would appear consistent with documented behaviour. A user following this skill's hub-setup guide on a remote-access scenario would be sending authentication tokens through infrastructure they do not control.

find_dirigera_ip.py reads the kernel ARP cache via subprocess and then TCP-probes every host in the user's /24 subnet on port 8443. The output — a list of all live LAN hosts with an open IoT-management port — constitutes a detailed local network map. This data is printed to stdout and not otherwise transmitted, but it is available to the agent context and any skill that processes tool output.

SKILL.md contains a bold CRITICAL instruction ordering the agent to 'End your turn immediately — do not wait or continue processing' after launching the background token script. The stated rationale (avoiding blocking on an interactive process) is legitimate. However this is a direct instruction to alter agent output behaviour, which in a malicious variant could conceal side-effects. Its presence here should be noted and users should verify the background process does not perform additional actions before the agent resumes.

generate_token_wrapper.py writes the hub access token with a trailing newline to dirigera_token.txt (or a user-supplied path) via Path.write_text(). The file is created with default umask permissions. Any process or skill running as the same OS user can subsequently read this token and gain full API access to the user's IKEA smart home devices including lights, outlets, and scene triggers.

generate_token_wrapper.py calls requests.packages.urllib3.disable_warnings(InsecureRequestWarning) at module level and passes verify=False to both the authorization code GET and token POST requests. This is conventional for Dirigera (self-signed cert) but removes all protection against a local network MITM that could intercept the authorization code or the access token during the exchange.

find_dirigera_ip.py invokes the IKEA generate-token CLI binary via subprocess.run(['generate-token', ip], check=False). The check=False means a non-zero exit or missing binary is silently ignored. If generate-token is not on PATH the function returns without error; if a malicious binary named generate-token is earlier on PATH it would be executed instead.

Six honeypot credential files appear in auditd PATH records at two distinct timestamps: ~1771936560 (pre-clone baseline) and ~1771936583 (post-install verification). The canary integrity report confirms all files are unmodified. Both access events are attributed to the oathe audit scaffolding, not to any skill script or process spawned from the skill directory.