minos
v1.0.0Control Home Assistant devices, read sensors, and manage automations using the Python Bridge. Use when the user wants to interact with their smart home - tur...
⭐ 0· 228·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, CLI, and Python code all implement Home Assistant control via REST API. Required tools (Python + requests) and the behaviors (turn_on/off, lights, climate, search, history) are coherent with the stated purpose. No unrelated cloud providers, services, or binaries are requested.
Instruction Scope
Runtime instructions ask you to run ha-setup.sh which prompts for HA_URL and a long-lived HA_TOKEN and writes them to ~/.homeassistant.conf; they also instruct sourcing that file and optionally adding it to ~/.bashrc. The SKILL.md hardcodes a setup path (/root/.openclaw/workspace/skills/home-assistant/scripts) which may not match your environment and could confuse non-root users. The instructions do not attempt to read or transmit unrelated system files or external endpoints beyond the Home Assistant URL.
Install Mechanism
There is no install spec that downloads code from arbitrary URLs. The skill is instruction-only but does include local scripts bundled with the skill. No remote install/extract operations or third-party package downloads are performed by the skill itself.
Credentials
The skill genuinely needs a Home Assistant URL and long-lived token (HA_URL, HA_TOKEN) which the setup script stores in ~/.homeassistant.conf and the Python client also accepts from environment variables. However, the registry metadata lists no required environment variables or primary credential — an inconsistency you should be aware of. Storing long-lived tokens in a file is functional but requires caution.
Persistence & Privilege
The skill does not request forced/always-on installation and does not modify other skills or system-wide agent settings. The only persistent change the setup script suggests is writing ~/.homeassistant.conf and optionally adding a source entry to ~/.bashrc (user-level changes under your control).
Assessment
This package is coherent with its stated purpose, but take these precautions before installing:
- Verify the HA_TOKEN handling: ha-setup.sh saves your long-lived HA token to ~/.homeassistant.conf (permissions set to 600). Consider whether you want a file-stored token or prefer exporting the token into the current shell session only. Do not add the source line to ~/.bashrc unless you understand the tradeoff of persisting the token in your shell startup.
- Confirm the setup path: SKILL.md instructs cd to /root/.openclaw/... which may not match your system. Run ha-setup.sh from the actual scripts directory included with the skill.
- Inspect the code locally before running: the Python script issues API calls only to the HA_URL you provide and does not contact other endpoints, but you should still review it if you have higher security needs.
- Use a dedicated long-lived token with minimal privileges if possible, and rotate it if compromised.
- Ensure requests is installed in a controlled environment (virtualenv) to avoid interfering with system packages.
If you want the registry metadata to be more accurate, ask the author to declare HA_URL and HA_TOKEN as required env vars/primary credentials and to avoid hardcoded paths in SKILL.md.Like a lobster shell, security has layers — review code before you run it.
latestvk9758d07d2b04z1g41akkv9z3182h3fm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.