Homebridge
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is a straightforward Homebridge controller, but it uses a local Homebridge admin credential and can change smart-home device state.
Install only if you are comfortable giving the agent access to your Homebridge Config UI X account. Keep the credential file private, confirm device IDs before making changes, and be cautious with safety-relevant devices such as thermostats, locks, garage doors, or appliances.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong device ID or value, the skill could turn devices on or off or change thermostat, fan, lighting, or other smart-home settings.
The script lets the agent send PUT requests to change any specified Homebridge accessory characteristic. This is the core purpose of the skill, but it can alter physical device behavior.
set_parser.add_argument("accessory_id", help="Accessory unique ID") ... set_parser.add_argument("characteristic", help="Characteristic type (e.g., On, Brightness)") ... return make_request(url, method="PUT", data=data, token=token)Use the list/get commands first, verify the accessory ID and characteristic, and avoid allowing unattended use for safety-sensitive devices.
Anyone or any agent process that can read this file may be able to authenticate to Homebridge and control connected accessories.
The skill requires a stored Homebridge username and password, described as an admin credential in the example. This is expected for Homebridge API access, but it grants authority to control devices.
Credentials file at `~/.clawdbot/credentials/homebridge.json`: { "url": "https://homebridge.local:8581", "username": "admin", "password": "your-password" }Protect the credential file permissions, use a dedicated least-privilege account if Homebridge supports it, and rotate the password if the file is exposed.