Back to skill

Security audit

小米智能家居 (Xiao Mi Home for HA)

Security checks across malware telemetry and agentic risk

Overview

This smart-home skill is coherent but needs review because it gives broad Home Assistant control and encourages unsafe handling of a long-lived access token.

Install only if you are comfortable giving the agent Home Assistant authority over real devices. Do not paste HA_TOKEN into chat; configure it through a secure local channel, rotate any token already shared, use the least-privileged Home Assistant account available, and require explicit confirmation for scenes, scripts, automations, climate changes, switches, and bulk actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill is intentionally designed for broad Home Assistant control, including arbitrary service invocation, which can cause disruptive actions in a real home environment if used imprecisely. While this is core functionality rather than overtly malicious behavior, the documentation lacks strong safety guardrails or warnings about high-impact actions such as turning off essential devices or triggering automations.

Missing User Warnings

High
Confidence
99% confidence
Finding
The instructions explicitly encourage users to paste a long-lived Home Assistant token into chat so the AI can store it. This is dangerous because it normalizes disclosure of a bearer credential to the model/session layer, increasing the risk of accidental retention, exposure in logs, reuse by other tools, or unauthorized home-control access if the token is compromised.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The batch shutdown recipe turns off all lights and switches discovered from Home Assistant without emphasizing the scope or operational consequences. In a smart-home context, this can unintentionally disable safety, networking, refrigeration, medical, or automation-related devices if they are represented as switches.

Ssd 3

High
Confidence
99% confidence
Finding
Telling users to disclose the Home Assistant token directly to the AI is a clear credential-handling flaw. A long-lived bearer token grants API access to query state and control devices, so exposing it in natural-language chat creates a direct path to unauthorized access if the conversation, logs, or downstream integrations are exposed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.