Home Assistant Assist
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is coherent, but it can send fire-and-forget commands to Home Assistant that may operate any connected smart-home device using a long-lived token.
Install only if you are comfortable giving OpenClaw the ability to control your Home Assistant devices. Prefer a dedicated token, keep it secret, and add your own confirmation or allowlist rules for sensitive devices such as doors, covers, thermostats, or other safety/security-relevant equipment.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A misunderstood, ambiguous, or overly broad command could change physical devices such as lights, thermostats, covers, vacuums, or media players without an extra safety check.
The skill grants broad device-control authority through Home Assistant Assist and tells the agent not to add validation or confirmation before execution.
Use this skill when the user wants to control or query any smart home device... **Fire and forget** — trust Assist to handle ... execution.
Use explicit confirmation for sensitive actions, restrict allowed Home Assistant domains/entities where possible, and avoid fire-and-forget behavior for security- or safety-relevant devices.
If the token is exposed or misused, someone or another agent action could query or control the Home Assistant instance.
The skill requires a Home Assistant bearer token. This is expected for the integration, but long-lived tokens are sensitive and may carry broad Home Assistant privileges.
"HASS_TOKEN": "your-long-lived-access-token"
Store the token securely, use a dedicated Home Assistant user/token with the least practical permissions, and revoke the token when it is no longer needed.