Smart Home Assistant

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Home Assistant energy-analysis helper that can draft automations, but it does not directly change devices or persist anything by itself.

Install only if you are comfortable giving the skill a Home Assistant long-lived token and letting it read entity, device, and area data. Treat any generated automation as a draft: verify every target entity and avoid applying turn_on or turn_off rules to critical appliances, safety systems, networking gear, or medical-adjacent devices.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill requires both network access to a Home Assistant instance and access to a bearer-style long-lived token from environment/config, but those capabilities are not explicitly declared as permissions. That creates a transparency and review gap: consumers may not realize the skill can reach internal home-automation APIs using sensitive credentials, which increases the chance of overtrust and misuse.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The skill is presented as an energy-monitoring assistant and explicitly says it should not be used for device control, yet it generates ready-to-apply automations containing control actions such as switch.turn_off. That mismatch is dangerous because users or orchestration systems may treat the skill as read-only/analytic while it is effectively producing operational control logic that can disable devices in the home.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The documentation claims the skill is read-only, but the showcased output is specifically intended for Home Assistant's automation creation flow and embeds actuator actions like switch.turn_off. Even if the skill does not directly call the service itself, producing machine-ready control payloads lowers the barrier to unintended or automated state-changing actions and misleads reviewers about safety boundaries.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The configuration model includes an 'action' field defaulting to 'turn_off', which enables operational automation behavior even though the skill metadata explicitly says it must not be used for device control. In this context, supporting control-oriented actions creates a dangerous scope mismatch: a user invoking an energy-analysis skill could indirectly generate or trigger device shutoff automations affecting appliances, safety-critical systems, or home availability.

Context-Inappropriate Capability

Medium

Confidence: 81% confidence
Finding: The skill reads the full device registry to build entity-to-area mappings, which broadens access from energy analysis into general Home Assistant inventory metadata. Even if used for a legitimate feature, this can expose unnecessary details about the user's environment, devices, and layout if the token or downstream handling is compromised or if the skill returns more context than needed.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: This code generates Home Assistant automations that invoke switch control services, which exceeds the declared skill scope of energy monitoring and analysis. In this context, the dangerous part is not memory corruption or injection, but unauthorized capability expansion: a user or downstream agent could use an analysis-only skill to cause real-world device state changes, including turning equipment on or off.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The code derives controllable switch entity IDs from sensor entity IDs and prepares switch service calls without validating that the inferred target is correct, intended, or safe to operate. That creates a pathway from passive telemetry to active control over home devices, increasing the chance of unintended shutdowns or manipulation of the wrong entity.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The skill metadata explicitly says it must not be used for device control, yet the rule defines an automated `turn_off` action based on power and occupancy conditions. This creates a capability/behavior mismatch that could cause the agent to perform physical state changes in the home despite a declared analysis-only scope, increasing the risk of unsafe or unauthorized automation.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: Using the bearer token to retrieve the full device registry collects broader environment mapping data than is necessary for many energy queries. In a smart-home context this is more sensitive than generic metadata because it can reveal household structure, installed devices, and occupancy-relevant layout information beyond the user's immediate request.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The automation output can perform switch actions based on power thresholds and time windows without any user-facing warning that the result may control physical devices. In a smart-home context, silent generation of operational automations can lead users to deploy rules that disrupt appliances, networking gear, medical-adjacent equipment, or other critical household systems.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal