Moltbot Home Assistant
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Home Assistant control skill, but it gives an agent broad smart-home control through a long-lived token, so users should configure safety limits carefully.
Install this only if you trust the moltbot-ha CLI package and are comfortable letting an agent control Home Assistant. Use a dedicated token, keep it secret, configure allowed_entities and blocked_entities before use, and consider requiring confirmation for all write operations if your Home Assistant automations or scripts can affect locks, alarms, garage doors, or other safety-sensitive devices.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could change device states, trigger scenes or scripts, and affect the home environment.
The skill intentionally exposes broad Home Assistant write/control operations, including physical smart-home devices. This is purpose-aligned and disclosed, but misuse or misinterpretation could have real-world effects.
Full Control: Lights, switches, covers, scenes, climate, and all Home Assistant domains
Keep safety level 3 or consider level 2, configure allowed_entities and blocked_entities, and require explicit user confirmation for any physical-risk action or automation/script trigger.
If the token is exposed or misused, someone could control Home Assistant devices with that token's privileges.
The CLI needs a Home Assistant long-lived access token. This is expected for the integration, but the token may grant broad control over the user's Home Assistant account and devices.
Set your Home Assistant long-lived access token: ```bash export HA_TOKEN="your_token_here" ```
Use a dedicated Home Assistant account/token if possible, store the token in a secure environment variable or secret manager, avoid committing it to config files, and revoke it when no longer needed.
Installing the package will run code outside the reviewed skill artifacts.
The skill depends on installing an external CLI package that is not included in the provided artifacts. The install step is user-directed and central to the purpose, but the package code was not available for static review here.
uv tool install moltbot-ha
Verify the package source and maintainer, prefer pinned versions where possible, and install only in an environment where you are comfortable granting Home Assistant access.