Research
Security News
Malicious npm Packages Use Telegram to Exfiltrate BullX Credentials
Socket uncovers an npm Trojan stealing crypto wallets and BullX credentials via obfuscated code and Telegram exfiltration.
By Kush Pandya - May 08, 2025
🚀 Big News: Socket Acquires Coana to Bring Reachability Analysis to Every Appsec Team.Learn more →
- Maintainers
- 3
smartbox 
Python API to control heating 'smart boxes'
Installation
Install
To install smartbox simply run:
pip install smartbox
Depending on your permissions you might be required to use sudo.
Once installed you can simply add smartbox to your Python 3 scripts by including:
import smartbox
smartbox Command Line Tool
Mandatory options
You can use the smartbox tool to get status information from your heaters
(nodes) and change settings.
A few common options are required for all commands:
-u/--username: Your username as used for the mobile app/web app.-p/--password: Your password as used for the mobile app/web app.
Verbose logging can be enabled with the -v/--verbose flag.
Optional options
These options are useful if your reseller is not configured.
-b/--base-auth-creds: An HTTP Basic Auth credential used to do initial authentication with the server. Use the base64 encoded string directly. See 'Basic Auth Credential' section below for more details.-a/--api-name: The API name for your heater vendor. This is visible in the 'API Host' entry in the 'Version' menu item in the mobile app/web app. If the host name is of the formapi-foo.xxxxorapi.xxxxuse the valuesapi-fooorapirespectively. The reseller has to be declared in the package.-r/--x-referer: The referer of your request.-i/--x-serial-id: The serial-id of your request.
Availables commands
Listing smartbox devices
smartbox <auth options...> devices
Listing smartbox nodes
The nodes command lists nodes across all devices.
smartbox <auth options...> nodes
Getting node status
The status command lists status across all nodes and devices.
smartbox <auth options...> status
Setting node status
The set-status command can be used to change a status item on a particular
node.
smartbox <auth options...> set-status <-d/--device-id> <device id> <-n/--node-addr> <node> <name>=<value> [<name>=<value> ...]
Getting node setup
The setup command lists setup across all nodes and devices.
smartbox <auth options...> setup
Setting node setup
The set-setup command can be used to change a setup item on a particular
node.
smartbox <auth options...> set-setup <-d/--device-id> <device id> <-n/--node-addr> <node> <name>=<value> [<name>=<value> ...]
Setting node samples
The node-samples command can be used to get the historical data (temperature and consumption) of a node.
smartbox <auth options...> node-samples <-d/--device-id> <device id> <-n/--node-addr> <node> <-s/--start-time> <start time> <-e/--end-time> <end time>
Getting device away status
The device-away-status command lists the away status across all devices.
smartbox <auth options...> device-away-status
Setting device away status
The set-device-away-status command can be used to change the away status on a
particular device.
smartbox <auth options...> set-device-away-status <-d/--device-id> <device id> <name>=<value> [<name>=<value> ...]
Getting device power limit
The device-power-limit command lists the power limit (in watts) across all
devices.
smartbox <auth options...> device-power-limit
Setting device power limit
The set-device-power-limit command can be used to change the power limit (in
watts) on a particular device.
smartbox <auth options...> set-device-power-limit <-d/--device-id> <device id> <limit>
Health check
The health-check command can be used to know if the API is alived
smartbox <auth options...> health-check
List available resellers
The resellers command can be used to know which resellers has an automatic configuration.
If your reseller is not present you can raise an issue in github, or use the optional options.
smartbox <auth options...> resellers
See api-notes.md for notes on REST and socket.io endpoints.
Development
Prerequisites:
uv
python >=3.13
Clone the repo, install dependencies and install pre-commit hooks:
git clone
cd smartbox
uv sync
pre-commit install
Testing
To run the full suite simply run the following command from within the virtual environment:
pytest
or
python -m pytest tests/
To generate code coverage xml (e.g. for use in VSCode) run
python -m pytest --cov-report xml:cov.xml --cov smartbox --cov-append tests/
Another way to run the tests is by using tox. This runs the tests against the installed package and multiple versions of python.
tox
or by specifying a python version
tox -e py313
Support
FAQs
Python API to control heating 'smart boxes'
We found that smartbox demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
Security News
Backdooring the IDE: Malicious npm Packages Hijack Cursor Editor on macOS
Malicious npm packages posing as developer tools target macOS Cursor IDE users, stealing credentials and modifying files to gain persistent backdoor access.
By Kirill Boychenko - May 07, 2025
Security News
AI Slop Is Polluting Bug Bounty Platforms with Fake Vulnerability Reports
AI-generated slop reports are making bug bounty triage harder, wasting maintainer time, and straining trust in vulnerability disclosure programs.
By Sarah Gooding - May 06, 2025