๐ก Home Assistant Builder (hab)
ReviewAudited by ClawScan on May 13, 2026.
Overview
The skill is coherent for Home Assistant management, but it uses a Home Assistant token, can change home/system settings, and auto-downloads the CLI from GitHub.
Install this only if you trust the Home Assistant Builder GitHub releases and are comfortable giving the CLI a Home Assistant token. Prefer read-only, schema, plan, or dry-run commands first, and require explicit confirmation before deletes, restarts, backup restore/delete, network changes, or ESPHome hardware actions.
Publisher note
The `home-assistant-build-cli` project is built and released by Paulus (@balloob), the main maintainer of Home Assistant, who is also the founder of the Open Home Foundation that owns Home Assistant. It can be trusted.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Mistaken commands could alter automations, dashboards, backups, network settings, ESPHome devices, or restart Home Assistant.
The skill can drive high-impact Home Assistant operations, but it explicitly instructs previewing, confirming risky actions, and verifying results.
inspect, create, update, delete, operate... Always ask for explicit user confirmation before operations that can cause downtime, data loss, connectivity loss, or hardware changes
Use read-only and plan/dry-run commands first, and only approve restart, delete, network, restore, or ESPHome hardware actions after reviewing the exact command.
Anyone or anything using the token through this CLI could potentially inspect or change the connected Home Assistant instance according to that token's privileges.
The skill requires a Home Assistant URL and token, which are expected for this integration but are sensitive because they may authorize account or home-system changes.
"requires": { "anyBins": ["curl", "wget"], "env": ["HAB_TOKEN", "HAB_URL"] }, "primaryEnv": "HAB_TOKEN"Use the least-privileged token available, keep it out of logs and shared prompts, and revoke or rotate it if the environment is exposed.
The actual CLI code that receives commands and can use the Home Assistant token is not included in the scanned artifacts and may change when the upstream latest release changes.
On first use, the wrapper downloads the latest external release binary, marks it executable, caches it, and runs it. The artifact does not pin a version or verify a checksum/signature.
BASE_URL="https://github.com/${REPO}/releases/latest/download" ... chmod +x "${tmp_file}" ... exec "${binary_path}" "$@"Install only if you trust the upstream GitHub releases; consider pinning a known version or verifying release checksums/signatures before use.