Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Homeassistant
v1.0.0Control and monitor Home Assistant smart devices using commands for lights, switches, covers, climate, scenes, and scripts via the HA API.
⭐ 0· 720·2 current·2 all-time
byGlitch@chris6970barbarian-hue
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to control Home Assistant via a local CLI (ha-cli) and requires a HA URL and long‑lived token, but registry metadata lists no required env vars/credentials and no binaries. The declared package contents (README/SKILL.md) reference executables that are not actually present. That mismatch is disproportionate to the stated purpose.
Instruction Scope
Runtime instructions instruct the user/agent to run `ha-cli setup <HA_URL> <TOKEN>` or export HA_URL/HA_TOKEN and say credentials are saved to config.json. The instructions themselves are limited to HA operations (no unrelated file/system access), but they assume the presence of a CLI that is not included. The workflow also persists the token in plaintext config.json in the skill directory, which increases persistence of a sensitive secret.
Install Mechanism
There is no install specification (instruction-only), which is low risk by itself. However, SKILL.md/README enumerate binaries (ha-cli, ha) in the files list but those executables are not present in the bundle—an inconsistency that may indicate an incomplete package or mislabeling.
Credentials
The skill metadata declares no required environment variables or primary credential, yet the SKILL.md explicitly tells users to provide HA_URL and HA_TOKEN. That discrepancy is misleading: the skill will need those values to function, and the instructions advise storing the token in a plaintext config file. Requiring a long‑lived token is reasonable for Home Assistant control, but the package should declare that explicitly and document storage/permissions.
Persistence & Privilege
The skill does not request elevated platform privileges and is not always‑on. It does persist configuration (config.json) in the skill bundle directory per its docs; storing tokens there creates persistent local secrets but does not, in the package as provided, demonstrate unauthorized access to other skills or system settings.
What to consider before installing
This package is inconsistent: the docs instruct running a CLI (ha-cli) and storing a Home Assistant long‑lived token, but the actual bundle does not include the referenced executables or declare the env vars. Before installing or providing secrets, ask the publisher for the missing CLI or an install mechanism, verify the CLI binary comes from a trusted source (or inspect its source), and prefer using environment variables with limited-scope tokens. Treat the included config.json as potentially sensitive storage — set strict file permissions if you must use it. If unsure, use the official Home Assistant integrations or a well‑maintained client rather than this incomplete skill.Like a lobster shell, security has layers — review code before you run it.
latestvk976q5ga061r8z6ny4hjtjtetx81arne
License
MIT-0
Free to use, modify, and redistribute. No attribution required.