ClawHub

Home Assistant Control

v1.0.3

Control and inspect Home Assistant via REST API for entities, states, services, scenes, scripts, and automations. Use when the user asks to turn devices on/o...

0· 797·2 current·2 all-time
by@hogar23
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the requested binaries and environment variables: bash, curl, jq and HA_TOKEN/HA_URL_* are exactly what a Home Assistant REST wrapper needs. Scripts operate against /api/... endpoints and provide entity discovery, safe action execution, and reference generation — all coherent with the stated purpose.
Instruction Scope
SKILL.md and the scripts confine their actions to Home Assistant API calls and local reference files. They validate paths begin with /api/, avoid arbitrary shell eval when loading env files, confirm entities before acting, and require explicit user confirmation for risky domains. No instructions ask the agent to read unrelated system files or send data to endpoints outside the configured HA base URL.
Install Mechanism
There is no install spec (instruction-only packaging). The repo includes shell scripts only; no external downloads or package installs are performed by the skill itself, minimizing install-time risk.
Credentials
Requested env vars (HA_TOKEN, HA_URL_PUBLIC, optional HA_URL_LOCAL/HA_URL/HA_ENV_FILE) are necessary and proportionate for talking to Home Assistant. The included ha_env.sh explicitly allowlists keys and parses env files without sourcing, limiting scope. The skill does require a long-lived token (which by design can control devices) — this is appropriate for the capability but carries the expected privilege.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges or modify other skills. It does not persist credentials into unrelated configs. Scripts write only to their own reference files (entities/naming-context) and temporary files during operation.
Assessment
This skill appears to do exactly what it says: call Home Assistant's REST API and provide helper scripts. Before installing, ensure you trust the skill source and the GitHub repo, and keep in mind that HA_TOKEN is powerful — anyone with it can control devices. Store HA_TOKEN in a private file with strict permissions (the skill supports an HA_ENV_FILE), prefer HTTPS HA_URL_PUBLIC for remote access, and review the scripts yourself if you want to be extra cautious. Run scripts/self_check.sh first to validate connectivity and environment. If you need least-privilege access, consider creating a token with limited permissions in Home Assistant rather than using a full-administration token.

Like a lobster shell, security has layers — review code before you run it.

latestvk971manzn5d0gxaxyk773e3dkx81c9ad

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏠 Clawdis
Binsbash, curl, jq
EnvHA_TOKEN, HA_URL_PUBLIC

Comments