Homeassistant
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its Home Assistant purpose, but it asks for a long-lived smart-home token and can control high-impact devices like locks through a missing/undeclared CLI, so it needs review before use.
Only install this if you trust the `ha-cli` command source and are comfortable giving it a long-lived Home Assistant token. Before use, confirm where the CLI comes from, restrict or rotate the token if possible, avoid enabling unlock/script/bulk actions without confirmation, and check how config.json is protected.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent or user mistake could unlock a door, change climate settings, run automations, or affect multiple devices.
The documented commands can directly change physical smart-home state, including locks and scripts, without any documented confirmation or allowlist.
ha-cli lock front door ... Any device type: Lights, switches, covers, climate, locks, scenes, scripts
Require explicit confirmation for locks, scripts, scenes, climate, and bulk actions; show the exact matched entity before changing it; and support an allowlist of safe devices.
A vague or misheard device name could cause the wrong device or automation to run.
Fuzzy matching can select unintended Home Assistant entities, and the same skill supports high-impact actions such as locks, scripts, and scenes.
Partial name matching (bed → Bedroom Light) ... Fuzzy matching enabled
Disambiguate fuzzy matches before executing state-changing commands, especially for locks, covers, scripts, scenes, and climate devices.
A long-lived Home Assistant token may allow broad control of the user's smart-home account and devices if misused or exposed.
The skill requires a persistent Home Assistant credential, but the registry metadata declares no primary credential or environment variables, and the artifacts do not bound token scope or handling.
Long-Lived Access Token from HA Profile page ... ha-cli setup <HA_URL> <TOKEN> ... export HA_TOKEN="your_token_here"
Declare the credential requirements, document the minimum Home Assistant permissions needed, store the token securely, and provide clear revocation and rotation guidance.
If a different or untrusted `ha-cli` is found on the system, it could receive the Home Assistant token or perform unexpected device actions.
The skill documentation references executable files that are not present in the supplied manifest and there is no install spec, so the provenance of the command receiving the HA token is unclear.
homeassistant/ ... ha-cli # Main CLI executable ... ha # Bash wrapper
Include the reviewed executable or clearly declare a pinned, trusted dependency/source for `ha-cli`, and make the required binary explicit in metadata.