ClawHub

Home Assistant Backup

Security checks across malware telemetry and agentic risk

Overview

This skill is openly for controlling Home Assistant, but it grants broad smart-home control with long-lived credentials and too little safety guidance.

Install only if you are comfortable giving the agent authenticated control over Home Assistant. Use a dedicated least-privilege Home Assistant account if possible, protect the token file with restrictive permissions, avoid exposing tokens or webhook IDs, prefer HTTPS/WSS, and require explicit confirmation before actions involving locks, garage doors/covers, alarms, climate, scripts, automations, or generic service calls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill clearly relies on shell access via curl and jq, yet no explicit permissions are declared. That creates a capability-transparency gap: users or orchestration layers may authorize the skill without realizing it can execute shell commands that reach internal Home Assistant endpoints and perform real-world actions. In a home-automation context, undeclared shell capability increases risk because it can be used to enumerate devices, invoke services, and handle sensitive tokens.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented behavior exceeds the apparent stated purpose by enabling generic service invocation (`ha.sh call`), broad entity enumeration/search, and instance information retrieval, while also claiming inbound webhook support without actually defining receiver logic. This mismatch is dangerous because operators may grant trust based on a narrower description, while the skill can perform far more powerful authenticated actions against Home Assistant, including services with physical side effects. Overstated webhook support also encourages unsafe deployment assumptions around inbound automation handling.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The activation guidance is very broad, effectively inviting use for any Home Assistant entity or automation action. Overbroad triggering increases the chance the agent invokes the skill in ambiguous situations and issues unintended commands to physical devices, locks, covers, climate systems, or automations. In this context, accidental invocation can produce real-world effects, making broad routing guidance materially risky.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents commands that can directly control lights, covers, climate, scripts, scenes, and automations without warning about physical or environmental side effects. In a smart-home setting, triggering automations or service calls can open garage doors, alter HVAC, start media, or cascade into other automations, so omission of a safety warning materially increases misuse risk. The context makes this more dangerous than ordinary API actions because they affect the physical environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to create and store a long-lived access token in a config file or environment variable without clearly emphasizing that this credential grants authenticated control over the Home Assistant instance. If exposed through logs, shell history, backups, repo commits, or local compromise, the token can be used to enumerate entities and operate devices or automations remotely. Because Home Assistant often controls physical security and home infrastructure, token mishandling has elevated impact.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The webhook section shows how to create inbound automation triggers but does not warn that webhook URLs function as bearer secrets that can directly trigger actions inside the home environment. In this skill context, undocumented or weakly protected webhook endpoints are more dangerous because they can bridge external input into automations controlling locks, doors, alarms, lights, or notifications.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The WebSocket example uses an insecure `ws://` URL while transmitting an access token, without warning to use secure transport. In a smart-home skill, interception of that token could grant broad visibility into device states and permit high-impact control actions through the authenticated API.

Session Persistence

Medium
Category
Rogue Agent
Content
### Option 1: Config File (Recommended)

Create `~/.config/home-assistant/config.json`:
```json
{
  "url": "https://your-ha-instance.duckdns.org",
Confidence
89% confidence
Finding
Create `~/.config

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal