HomeKit Smart Home Control
v1.0.6Control Apple HomeKit smart home devices. Supports listing, discovering, pairing devices, and controlling lights, switches, outlets, thermostats. Use when th...
⭐ 5· 2k·4 current·4 all-time
bymanifold@manifoldor
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name and description match the included Python script and README: the skill uses the homekit / HAP-python libraries to discover, pair, list, and control HomeKit accessories on the local network. There are no unrelated credentials, binaries, or cloud services requested.
Instruction Scope
SKILL.md and scripts instruct only local network operations (mDNS/Bonjour discovery, pairing, characteristic writes) and recommend installing HAP-python/homekit. The script reads an optional env var HOMEKIT_DEFAULT_HOME and writes pairings to ~/.config/homekit/pairings.json — both are within scope but the env var is not declared in requires.env. The SKILL.md contains example scene scripts that reference an agent workspace path (~/.openclaw) which is a usability detail but not a secret-exfiltration vector by itself.
Install Mechanism
No install spec is embedded; SKILL.md recommends installing HAP-python and homekit via pip from PyPI (pip3 install HAP-python homekit). This is a standard mechanism for Python libraries and proportionate to the skill's function. No downloads from unknown URLs or archive extraction are present.
Credentials
The skill declares no required environment variables or secrets, which matches expected usage. The code does read HOMEKIT_DEFAULT_HOME from the environment (optional) but that variable is not documented in SKILL.md. The script stores pairing data (sensitive control credentials for HomeKit devices) in ~/.config/homekit/pairings.json — storing these secrets locally is expected for a HomeKit controller but is a sensitive action users should be aware of.
Persistence & Privilege
always:false and the skill is user-invocable and allowed to run autonomously (default). The script persistently writes pairing state to the user's config directory (~/.config/homekit), which is necessary for functionality but means the skill will keep sensitive device credentials on disk. The skill does not request system-wide or other-skills configuration changes in the provided files.
Assessment
This skill appears to do what it says: discover, pair, and control HomeKit devices on your local network. Before installing, consider: 1) Review the entire scripts/homekit.py file (the provided listing was truncated) to confirm there's no unexpected network calls or telemetry. 2) Install dependencies from trusted sources (pip from PyPI) and consider using a virtualenv. 3) Be aware pairing data (control credentials) will be saved to ~/.config/homekit/pairings.json — treat this file as sensitive and restrict its permissions. 4) If you prefer extra isolation, run the tool on a dedicated machine or VM on the same LAN. 5) If you rely on agents/autonomous invocation, note the skill can be invoked automatically by the agent (default); only enable that if you trust the skill and its source.Like a lobster shell, security has layers — review code before you run it.
homekitvk970w2vm7wvgj0kj2244z4kfe980e6e4latestvk971s6rxzy96wk38d1z000z42x83bp7x
License
MIT-0
Free to use, modify, and redistribute. No attribution required.