ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Home Assistant Assist

v1.1.1

Control Home Assistant smart home devices using the Assist (Conversation) API. Use this skill when the user wants to control smart home entities - lights, sw...

6· 3.1k·14 current·14 all-time
byDevCats@developmentcats

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for developmentcats/homeassistant-assist.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Home Assistant Assist" (developmentcats/homeassistant-assist) from ClawHub.
Skill page: https://clawhub.ai/developmentcats/homeassistant-assist
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: HASS_SERVER, HASS_TOKEN
Required binaries: curl
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install homeassistant-assist

ClawHub CLI

Package manager switcher

npx clawhub@latest install homeassistant-assist
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (control Home Assistant via Assist) match the declared requirements: curl, HASS_SERVER, and HASS_TOKEN. Nothing requested (no unrelated cloud keys, no OS config paths) is out of scope for a Home Assistant integration.
Instruction Scope
SKILL.md is instruction-only and limited to a single API call (POST to /api/conversation/process) and relaying response.speech.plain.speech. It does not instruct reading other files, searching system state, or contacting other external endpoints. The guidance to 'trust Assist' and 'fire and forget' is a design choice (it delegates intent parsing to HA) and not an instruction to access unrelated data.
Install Mechanism
There is no install spec or code to download — instruction-only skill. Low risk: nothing is written to disk by the skill package itself; it relies on curl being present at runtime.
Credentials
Only HASS_SERVER and HASS_TOKEN are required and HASS_TOKEN is correctly declared as the primary credential. These are proportionate to the skill's functionality. Note: Home Assistant long-lived tokens grant whatever permissions the associated user has, so token scope is effectively the user's privileges.
Persistence & Privilege
Skill does not request always:true, has no install hooks, and is user-invocable only. It does not modify other skills or system-wide settings. Agent autonomous invocation is default but not combined with other red flags here.
Scan Findings in Context
[base64-block] unexpected: A base64-encoded SVG/badge was detected in the README (embedded badge image). This is a documentation artifact and not used at runtime by the SKILL.md instructions. It's flagged as a pattern that can be used in prompt-injection scenarios, but here it appears harmless and not relevant to the skill's operation.
Assessment
This skill is coherent with its description and appears to do only what it claims: forward natural language to Home Assistant's Assist API and relay the reply. Before installing, consider the following: (1) HASS_TOKEN is a long-lived access token tied to a Home Assistant user — anyone with it can act as that user. Prefer creating a dedicated Home Assistant user with limited permissions for OpenClaw, rather than using your personal/admin token. (2) Host the HASS_SERVER URL over HTTPS and ensure network access is restricted as appropriate. (3) Be aware that 'fire and forget' means the skill will execute whatever Assist maps the phrase to (including potentially sensitive actions such as unlocking doors if the token permits). If you need extra safety, restrict the account's permissions or avoid giving the skill control of critical entities. (4) The base64 badge flagged by the scanner is only in documentation and not executed at runtime. If you want higher assurance, review the skill's upstream repo (provided homepage) or run the skill in a non-production environment first.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🏠 Clawdis
Binscurl
EnvHASS_SERVER, HASS_TOKEN
Primary envHASS_TOKEN
latestvk9765t1epjknzzate47nga05xs81qkxs
3.1kdownloads
6stars
4versions
Updated 7h ago
v1.1.1
MIT-0
DevCats@developmentcats
latest
Download

Home Assistant Assist

Control smart home devices by passing natural language to Home Assistant's Assist (Conversation) API. Fire and forget — trust Assist to handle intent parsing, entity resolution, and execution.

When to Use This Skill

Use this skill when the user wants to control or query any smart home device. If it's in Home Assistant, Assist can handle it.

How It Works

Pass the user's request directly to Assist:

curl -s -X POST "$HASS_SERVER/api/conversation/process" \
  -H "Authorization: Bearer $HASS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"text": "USER REQUEST HERE", "language": "en"}'

Trust Assist. It handles:

  • Intent parsing
  • Fuzzy entity name matching
  • Area-aware commands
  • Execution
  • Error responses

Handling Responses

Just relay what Assist says. The response.speech.plain.speech field contains the human-readable result.

  • "Turned on the light" → Success, tell the user
  • "Sorry, I couldn't understand that" → Assist couldn't parse it
  • "Sorry, there are multiple devices called X" → Ambiguous name

Don't over-interpret. If Assist says it worked, it worked. Trust the response.

When Assist Returns an Error

Only if Assist returns an error (response_type: "error"), you can suggest HA-side improvements:

ErrorSuggestion
no_intent_match"HA didn't recognize that command"
no_valid_targets"Try checking the entity name in HA, or add an alias"
Multiple devices"There may be duplicate names — consider adding unique aliases in HA"

These are suggestions for improving HA config, not skill failures. The skill did its job — it passed the request to Assist.

Setup

Set environment variables in OpenClaw config:

{
  "env": {
    "HASS_SERVER": "https://your-homeassistant-url",
    "HASS_TOKEN": "your-long-lived-access-token"
  }
}

Generate a token: Home Assistant → Profile → Long-Lived Access Tokens → Create Token

API Reference

Endpoint

POST /api/conversation/process

Note: Use /api/conversation/process, NOT /api/services/conversation/process.

Request

{
  "text": "turn on the kitchen lights",
  "language": "en"
}

Response

{
  "response": {
    "speech": {
      "plain": {"speech": "Turned on the light"}
    },
    "response_type": "action_done",
    "data": {
      "success": [{"name": "Kitchen Light", "id": "light.kitchen"}],
      "failed": []
    }
  }
}

Philosophy

  • Trust Assist — It knows the user's HA setup better than we do
  • Fire and forget — Pass the request, relay the response
  • Don't troubleshoot — If something doesn't work, suggest HA config improvements
  • Keep it simple — One API call, natural language in, natural language out

Links

Comments

Loading comments...