Security audit

Home Assistant

Security checks across malware telemetry and agentic risk

Overview

This skill is not obviously malicious, but it can give an agent broad control over Home Assistant devices and automations without strong guardrails.

Install only if you are comfortable giving the agent control over your Home Assistant instance. Use a dedicated least-privilege HA account/token where possible, restrict the config file to owner-only permissions, avoid using the generic service caller for sensitive domains unless explicitly confirmed, and be careful with automations, locks, covers, alarms, climate, scripts, and webhooks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill clearly relies on shell execution via curl and jq, yet no permissions are declared. In an agent environment, undeclared shell capability weakens policy enforcement and informed consent because the skill can make authenticated network calls and issue device-changing commands without an explicit permission boundary.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The documented behavior exceeds or diverges from the stated purpose in security-relevant ways: it supports arbitrary Home Assistant service invocation, broad entity enumeration, and instance info retrieval, while claiming inbound webhook support without actually implementing a receiver. This mismatch can mislead users and reviewers about the skill's real authority and attack surface, especially because generic service calls can trigger sensitive actions such as unlocking, opening covers, or running powerful automations.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The `call` command exposes a fully generic Home Assistant service invoker, which goes beyond the skill's stated scope of controlling common entities such as lights, switches, climate, scenes, and automations. In Home Assistant, arbitrary service calls can reach powerful or safety-relevant integrations, disable protections, unlock doors, open covers, run admin-like actions, or trigger destructive automations, so this materially expands capability without restriction.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation provides ready-to-run state-changing commands for lights, switches, climate, scenes, scripts, and automations without warning that these actions can affect physical devices and trigger chained automations. In a smart-home context, seemingly simple commands can produce real-world safety, privacy, or property effects, so omission of warnings increases the risk of unsafe use.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The setup instructs users to store a long-lived access token in a config file or export it as an environment variable without emphasizing that the token is a sensitive credential granting broad control over the Home Assistant instance. Long-lived tokens are attractive targets because theft can enable persistent unauthorized access to device states and control functions.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The arbitrary `call` path performs state-changing Home Assistant actions with no warning, confirmation, or policy gate. Because Home Assistant services may control locks, alarms, doors, cameras, power devices, or destructive automations, an agent or user can issue impactful commands immediately and silently, increasing the chance of unsafe or unauthorized actions.

Session Persistence

Medium

Category: Rogue Agent
Content: ### Option 1: Config File (Recommended) Create `~/.config/home-assistant/config.json`: ```json { "url": "https://your-ha-instance.duckdns.org",
Confidence: 86% confidence
Finding: Create `~/.config

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal