ClawHub

Openclaw Homeassistant

Security checks across malware telemetry and agentic risk

Overview

This Home Assistant skill appears purpose-aligned, but it exposes broad smart-home control primitives that deserve careful review before installation.

Install only if you trust the agent using it and can limit its Home Assistant permissions. Prefer a dedicated low-privilege Home Assistant account, enable readOnly unless writes are required, restrict allowedDomains, avoid broad service/event/template access where possible, and revoke or rotate the token if exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill advertises network-backed Home Assistant control but does not declare corresponding permissions, creating a transparency and governance gap. In practice this can bypass user expectations, weaken review controls, and conceal that the skill can reach a local or remote HA instance to read state or perform actions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The tests explicitly validate a generic `ha_call_service` capability that can invoke arbitrary Home Assistant domains and services, including powerful administrative actions such as `homeassistant.restart`. This exceeds the narrowly described smart-home control model with domain-level guardrails, and if exposed to an agent it can become a broad privilege-escalation primitive limited only by the Home Assistant token's permissions and optional allowlist configuration.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The tests confirm a generic `ha_fire_event` capability that allows arbitrary Home Assistant events to be emitted. Event buses often trigger automations, scripts, or integrations, so this can indirectly cause state changes or privileged workflows while appearing less dangerous than direct service invocation, especially since the capability is not disclosed in the manifest description.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
`ha_fire_event` exposes arbitrary Home Assistant event-bus access with only a tool-level allow check and no restriction on event type or payload. In Home Assistant, custom automations and integrations may react to fired events, so this can indirectly trigger sensitive actions outside the narrowly described smart-device control surface.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
`ha_render_template` allows arbitrary Home Assistant template execution without any guard on template content. Templates can expose internal state, secrets-in-context, entity metadata, and system information beyond the manifest’s advertised capabilities, creating a broad unintended read surface and possible prompt/data exfiltration path.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
`ha_call_service` is a generic dispatcher that permits any service within an allowed domain, using attacker-controlled `service` and `service_data`. Even with domain allowlisting, many Home Assistant domains expose powerful or destructive operations, so this bypasses the finer-grained safety model implied by the dedicated per-domain tools and greatly expands the action surface.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Unrestricted event-bus access is especially risky in a Home Assistant environment because events are often used as automation triggers and integration signals. This makes the tool an indirect execution primitive capable of causing actions far beyond simple device control, depending on how the household instance is configured.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The exported types expose broad generic capabilities via ha_call_service, ha_fire_event, and ha_render_template that go beyond narrow device-control operations and can undermine claimed domain-level safety guarantees. In a Home Assistant context, these primitives can be used to invoke arbitrary integrations, trigger automations, and evaluate templates that access sensitive state, making the skill materially more dangerous than its description suggests.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Arbitrary event firing is a powerful primitive in Home Assistant because custom automations and integrations may react to events with privileged or safety-relevant actions. Exposing a generic event interface is broader than simple smart-home control and can become an indirect path to trigger unintended workflows, notifications, unlock routines, or destructive automations.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
Generic template rendering is broader than the advertised device-control scope and may expose internal state, entity attributes, or helper functions not intended for routine tool use. In Home Assistant, templates are often used for powerful introspection and automation logic, so exposing arbitrary template execution increases the attack surface and can bypass higher-level safety assumptions.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README prominently markets broad Home Assistant control capabilities but does not place an equally prominent warning that the plugin can change physical device state, trigger automations, open covers/garage doors, and send notifications unless safety guards are configured. In an agent-integrated context, unclear documentation increases the chance that users deploy the plugin with default full-write access, creating real safety and operational risk even if the code includes optional safeguards.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The setup flow instructs users to create and paste a long-lived Home Assistant token into configuration without clearly warning that this token grants persistent API access to the HA instance with the privileges of the issuing account. In an AI/agent plugin context, this omission is security-relevant because users may over-scope the token, store it insecurely, or expose it to untrusted agents without understanding the consequences.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This skill exposes broad smart-home control primitives, including lights, climate, covers, scripts, automations, events, and notifications, yet the description does not warn that use can change physical devices or trigger side effects. That omission is dangerous because users may invoke the skill casually without realizing it can unlock movement, alter environmental controls, or execute automation chains in the home.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The configuration example includes a long-lived access token with no warning about secret handling, storage, rotation, or scoping. This is dangerous because operators may paste real credentials into insecure places, commit them to source control, or reuse over-privileged tokens that grant broad control of the Home Assistant environment.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest advertises broad smart-home control capabilities, including lights, climate, covers, scenes, scripts, automations, arbitrary service calls, and event firing, but the manifest itself provides no explicit invocation constraints, exclusion conditions, or user-confirmation requirements. In a home automation context, unrestricted invocation can affect physical devices, privacy-sensitive sensors, and safety-relevant automations, so this is a genuine security concern even if some controls may exist in implementation.

Missing User Warnings

High
Confidence
97% confidence
Finding
This skill exposes many state-changing actions that can directly affect physical devices and household operations, yet the manifest does not present a clear user-facing warning about risks such as opening covers/garage doors, altering climate, triggering automations/scripts, or sending notifications. In the Home Assistant context, these actions can create real-world safety, privacy, and nuisance impacts, making the absence of prominent warnings and friction a meaningful vulnerability.

VirusTotal

No VirusTotal findings

View on VirusTotal