ClawHub

🏠 Home Assistant via MCP protocol

v1.0.1

The skill for control Home Assistant smart home devices and query states using MCP protocol.

8· 3.5k·19 current·20 all-time
byAlone@al-one
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Home Assistant via MCP) align with requirements: mcporter (or npx) is the MCP CLI and HASS_ACCESS_TOKEN/HASS_BASE_URL are exactly what a Home Assistant MCP client needs.
Instruction Scope
SKILL.md only instructs using mcporter (or npx mcporter) to call MCP methods and to configure mcporter with HASS_BASE_URL/HASS_ACCESS_TOKEN; it does not request unrelated files, credentials, or system-wide data.
Install Mechanism
Install spec uses the 'mcporter' npm package (node). This is an expected way to obtain the MCP CLI but is a moderate-risk install vector (public registry package will be installed/placed on disk). Verify the mcporter package/source before installing.
Credentials
Only HASS_ACCESS_TOKEN (primary) and HASS_BASE_URL are required. Both are necessary and proportionate for connecting to a Home Assistant MCP endpoint.
Persistence & Privilege
The skill does not request always:true and is not asking to modify other skills or system configs; it runs on-demand or autonomously per platform defaults (normal for skills).
Assessment
This skill appears to be what it says: it uses the mcporter CLI to talk to a Home Assistant MCP endpoint and needs your HASS_BASE_URL and HASS_ACCESS_TOKEN. Before installing: 1) Verify you trust the mcporter npm package (review its GitHub repo/source and recent releases) instead of blindly installing from npm. 2) Use a Home Assistant token with minimal necessary scope and treat it like a secret; don't paste it into public places. 3) Prefer using npx for ephemeral invocation if you don't want a global binary, or install in a controlled environment. 4) Confirm HASS_BASE_URL points to your internal/Home Assistant instance (avoid exposing the token to external endpoints). 5) If you are concerned about autonomous invocation, restrict or review the skill's permissions in your agent platform—autonomous invocation is normal but increases blast radius if the token is compromised.

Like a lobster shell, security has layers — review code before you run it.

latestvk974s2rfvb0fkcqe4p71qwfwjn80zc4f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏠 Clawdis
Any binmcporter, npx
EnvHASS_ACCESS_TOKEN, HASS_BASE_URL
Primary envHASS_ACCESS_TOKEN

Install

Install mcporter (node)
Bins: mcporter
npm i -g mcporter

Comments