Homebridge
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong device ID or value, the skill could turn devices on or off or change thermostat, fan, lighting, or other smart-home settings.
The script lets the agent send PUT requests to change any specified Homebridge accessory characteristic. This is the core purpose of the skill, but it can alter physical device behavior.
set_parser.add_argument("accessory_id", help="Accessory unique ID") ... set_parser.add_argument("characteristic", help="Characteristic type (e.g., On, Brightness)") ... return make_request(url, method="PUT", data=data, token=token)Use the list/get commands first, verify the accessory ID and characteristic, and avoid allowing unattended use for safety-sensitive devices.
Anyone or any agent process that can read this file may be able to authenticate to Homebridge and control connected accessories.
The skill requires a stored Homebridge username and password, described as an admin credential in the example. This is expected for Homebridge API access, but it grants authority to control devices.
Credentials file at `~/.clawdbot/credentials/homebridge.json`: { "url": "https://homebridge.local:8581", "username": "admin", "password": "your-password" }Protect the credential file permissions, use a dedicated least-privilege account if Homebridge supports it, and rotate the password if the file is exposed.