Home Assistant Control
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is coherent for Home Assistant control, but it needs a long-lived Home Assistant token and can change real smart-home device state.
Install only if you are comfortable letting the agent use a Home Assistant token to inspect and control your devices. Keep the token in a private env file, use HTTPS for public access, review action previews, avoid --yes for risky actions, and keep generated entity/naming files private.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token is exposed or over-permissioned, someone could inspect sensors or control Home Assistant devices available to that account.
The skill requires a Home Assistant long-lived token, which is expected for the stated integration but grants sensitive account/device access.
Use Home Assistant REST API with a long-lived access token. ... `HA_TOKEN` (required)
Store the token outside the skill folder, use the least-privileged Home Assistant account/token available, prefer HTTPS for public URLs, and revoke or rotate the token if it may be compromised.
A mistaken or overbroad action could turn devices on or off, unlock/lock devices, move covers, or trigger scenes/scripts depending on the user's Home Assistant setup.
The script can send Home Assistant service calls that mutate device state; it includes previews and risky-domain prompts, but also documents a confirmation bypass.
--yes Skip confirmation prompts ... if ! "$CALL" POST "/api/services/$DOMAIN/$SERVICE" "$PAYLOAD"
Use dry-run and action previews, avoid --yes for high-impact actions unless explicitly intended, and verify entity IDs/services before allowing changes.
Generated reference files may reveal room/device names, and stale or incorrect aliases could cause the agent to target the wrong entity.
The skill can persist Home Assistant entity IDs and friendly names into a local naming context used for future natural-language resolution.
OUT_FILE="${1:-$SCRIPT_DIR/../references/naming-context.md}" ... "$CALL" GET /api/states > "$TMP_JSON"Keep generated reference files private, do not commit them publicly, and review manual aliases before relying on natural-language device names.