Home Assistant Master
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is an instruction-only Home Assistant operations skill that can involve sensitive smart-home access, but its artifacts are coherent, read-first, and strongly approval-gated.
This skill appears safe to install as an instruction-only Home Assistant helper, but only connect it to your Home Assistant instance when you are comfortable with the agent seeing diagnostic data. Keep it read-only unless you explicitly want it to act, review the exact entities/services before confirming, and use least-privilege credentials stored in the platform’s secret storage.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If connected to Home Assistant, approved actions could affect physical devices, security-related devices, or Home Assistant availability.
The skill can guide or perform high-impact Home Assistant operations if runtime access exists, including physical access-control devices and platform actions, but it explicitly requires two-step confirmation for these tiers.
Tier 2: sensitive writes (locks/alarms/garage/cameras/access). Tier 3: platform actions (restart/reload/update/restore). Require two-step confirmation for Tier 2/3.
Use read-only mode by default, verify the exact entities and services listed in the impact preview, and only confirm writes that are narrowly scoped and reversible.
Granting access could let the agent view Home Assistant data and, if permitted, perform actions as the connected Home Assistant user.
Operational use may rely on an authenticated Home Assistant session, connector, or token. This is expected for the stated purpose, and the artifact includes least-privilege and secret-storage guidance.
The hosting agent/platform must provide one of: 1. Native Home Assistant connector/API integration, or 2. Browser relay access to an authenticated Home Assistant session, or 3. A platform-approved secure token flow.
Use the least-privileged Home Assistant account or token available, keep credentials in platform secret storage, and revoke or rotate access if exposure is suspected.
Diagnostics may expose household routines, device names, occupancy patterns, or integration details to the agent environment.
Home Assistant states, history, traces, and logs can reveal private household patterns. The skill's access is purpose-aligned and read-first, but users should understand that this data may pass through the hosting agent's connector or browser relay.
Read-only diagnostics: states, history, traces, logs, integration health.
Run operational diagnostics only in a private, approved environment and ensure outputs redact secrets or sensitive household details before sharing.