HomeKit Smart Home Control

Security checks across malware telemetry and agentic risk

Overview

This skill openly does what it claims: lets a user control their own HomeKit devices, with normal smart-home risks but no evidence of hidden or unrelated behavior.

Install this only if you trust it to control your HomeKit accessories. Review commands before running them, be especially careful with unpairing and batch power changes, protect the local pairing file, and consider using a virtual environment or pinned package versions for the Python dependencies.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The documentation encourages disruptive actions such as unpairing devices and batch power control without emphasizing confirmation, scope checking, or potential safety/availability consequences. In a smart-home context, this can cause denial of service for home automation, unintended shutdown of critical devices, or occupant disruption if an agent executes commands too broadly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal