Homebridge
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill The skill is designed to control Homebridge devices via its REST API. The `SKILL.md` provides clear instructions and `curl` examples, while the `scripts/homebridge_api.py` script implements the functionality using standard Python libraries. The script correctly loads credentials from `~/.clawdbot/credentials/homebridge.json` and confines all network interactions to the configured Homebridge URL. There is no evidence of data exfiltration, arbitrary command execution, persistence mechanisms, prompt injection attempts against the agent, or other malicious behaviors. The implementation uses safe methods for constructing API requests, mitigating common injection risks.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong device ID or value, the skill could turn devices on or off or change thermostat, fan, lighting, or other smart-home settings.
The script lets the agent send PUT requests to change any specified Homebridge accessory characteristic. This is the core purpose of the skill, but it can alter physical device behavior.
set_parser.add_argument("accessory_id", help="Accessory unique ID") ... set_parser.add_argument("characteristic", help="Characteristic type (e.g., On, Brightness)") ... return make_request(url, method="PUT", data=data, token=token)Use the list/get commands first, verify the accessory ID and characteristic, and avoid allowing unattended use for safety-sensitive devices.
Anyone or any agent process that can read this file may be able to authenticate to Homebridge and control connected accessories.
The skill requires a stored Homebridge username and password, described as an admin credential in the example. This is expected for Homebridge API access, but it grants authority to control devices.
Credentials file at `~/.clawdbot/credentials/homebridge.json`: { "url": "https://homebridge.local:8581", "username": "admin", "password": "your-password" }Protect the credential file permissions, use a dedicated least-privilege account if Homebridge supports it, and rotate the password if the file is exposed.