Homebridge

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Homebridge control skill, but it can change real smart-home devices and relies on stored Homebridge credentials.

Install only if you are comfortable letting the agent control devices exposed through your Homebridge account. Keep the credential file private, prefer a least-privilege Homebridge user if available, confirm accessory IDs and values before changing state, and avoid unattended use for safety-sensitive devices such as thermostats, locks, garage doors, or appliances.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill provides direct examples for turning devices on/off and changing thermostat, lighting, and fan settings, but does not prominently warn that these commands cause immediate physical changes in the user's environment. In a smart-home context, missing safety messaging increases the chance of unsafe or unintended actions affecting comfort, privacy, energy usage, or physical safety.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal