HomeKit Smart Home Control
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: homekit Version: 1.0.6 The homekit skill bundle provides standard functionality for managing Apple HomeKit devices using the legitimate 'homekit_python' library. The core script (scripts/homekit.py) implements device discovery, pairing, and control via mDNS and local network communication, storing pairing data locally in the user's config directory as expected. No evidence of data exfiltration, malicious execution, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or over-broad command could turn devices on or off, change brightness, or remove a device pairing.
The skill openly provides commands that can pair, unpair, and change the state of real smart-home devices. This is central to the stated purpose, but it is still high-impact behavior.
- 🔗 Pair/Unpair devices - 💡 Control light switches and brightness - 🔌 Control outlets and switches
Use explicit device names, review commands before running them, and require confirmation for unpairing or broad/batch device changes.
Anyone or any process that can read or use the local pairing data may be able to control the paired HomeKit devices from this machine.
The script stores and reloads HomeKit pairing data locally. That data is effectively authorization to control paired HomeKit accessories.
CONFIG_DIR = os.path.expanduser("~/.config/homekit")
PAIRING_FILE = os.path.join(CONFIG_DIR, "pairings.json")
controller.save_data(PAIRING_FILE)Protect the local account and the ~/.config/homekit directory, avoid sharing the pairing file, and unpair devices if the machine is no longer trusted.
Installing unpinned packages can expose the environment to package changes or supply-chain issues outside the skill itself.
The setup instructions ask the user to install third-party Python packages without pinned versions. This is purpose-aligned, but it depends on external package provenance.
pip3 install HAP-python homekit --user
Install dependencies from trusted sources, preferably in a virtual environment, and consider pinning or reviewing package versions before use.