HomeKit Smart Home Control
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent HomeKit control skill, but it can change real smart-home devices and stores local pairing data, so it should be used only as trusted home-control software.
Before installing, confirm you trust the skill and its Python dependencies, protect the local HomeKit pairing file, and use explicit confirmation for commands that change or unpair physical devices. The provided script content is marked truncated in the artifact, so review the full script if available before relying on it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or over-broad command could turn devices on or off, change brightness, or remove a device pairing.
The skill openly provides commands that can pair, unpair, and change the state of real smart-home devices. This is central to the stated purpose, but it is still high-impact behavior.
- 🔗 Pair/Unpair devices - 💡 Control light switches and brightness - 🔌 Control outlets and switches
Use explicit device names, review commands before running them, and require confirmation for unpairing or broad/batch device changes.
Anyone or any process that can read or use the local pairing data may be able to control the paired HomeKit devices from this machine.
The script stores and reloads HomeKit pairing data locally. That data is effectively authorization to control paired HomeKit accessories.
CONFIG_DIR = os.path.expanduser("~/.config/homekit")
PAIRING_FILE = os.path.join(CONFIG_DIR, "pairings.json")
controller.save_data(PAIRING_FILE)Protect the local account and the ~/.config/homekit directory, avoid sharing the pairing file, and unpair devices if the machine is no longer trusted.
Installing unpinned packages can expose the environment to package changes or supply-chain issues outside the skill itself.
The setup instructions ask the user to install third-party Python packages without pinned versions. This is purpose-aligned, but it depends on external package provenance.
pip3 install HAP-python homekit --user
Install dependencies from trusted sources, preferably in a virtual environment, and consider pinning or reviewing package versions before use.