HomeKit Smart Home Control
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or over-broad command could turn devices on or off, change brightness, or remove a device pairing.
The skill openly provides commands that can pair, unpair, and change the state of real smart-home devices. This is central to the stated purpose, but it is still high-impact behavior.
- 🔗 Pair/Unpair devices - 💡 Control light switches and brightness - 🔌 Control outlets and switches
Use explicit device names, review commands before running them, and require confirmation for unpairing or broad/batch device changes.
Anyone or any process that can read or use the local pairing data may be able to control the paired HomeKit devices from this machine.
The script stores and reloads HomeKit pairing data locally. That data is effectively authorization to control paired HomeKit accessories.
CONFIG_DIR = os.path.expanduser("~/.config/homekit")
PAIRING_FILE = os.path.join(CONFIG_DIR, "pairings.json")
controller.save_data(PAIRING_FILE)Protect the local account and the ~/.config/homekit directory, avoid sharing the pairing file, and unpair devices if the machine is no longer trusted.
Installing unpinned packages can expose the environment to package changes or supply-chain issues outside the skill itself.
The setup instructions ask the user to install third-party Python packages without pinned versions. This is purpose-aligned, but it depends on external package provenance.
pip3 install HAP-python homekit --user
Install dependencies from trusted sources, preferably in a virtual environment, and consider pinning or reviewing package versions before use.