Back to skill

Security audit

minos

Security checks across malware telemetry and agentic risk

Overview

This Home Assistant skill does what it claims, but it can control real devices and stores a powerful long-lived access token in a sourced shell config.

Install only if you are comfortable giving this skill Home Assistant API access. Use a dedicated and revocable Home Assistant token, protect ~/.homeassistant.conf, avoid adding it to shared shell startup environments, inspect any existing config before sourcing it, and require explicit confirmation before actions involving locks, doors, alarms, garage doors, climate, scenes, or other safety-sensitive devices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation describes capabilities that rely on shell execution, environment variable loading, and outbound network access to a Home Assistant instance, but no corresponding permissions are declared. This creates a transparency and policy-enforcement gap: users and hosting systems may not realize the skill can execute commands and access networked home infrastructure.

Description-Behavior Mismatch

Low
Confidence
88% confidence
Finding
The `get_services()`/`services` command exposes the full Home Assistant service catalog, which expands the skill from the stated use of device control, sensors, and automations into broad capability discovery. In an agent setting, this materially lowers the barrier to invoking unexpected or high-impact services and can aid lateral misuse by revealing privileged operations available on the target Home Assistant instance.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README instructs users to create and source a shell config containing a long-lived Home Assistant access token, but provides no warning about protecting that file, limiting permissions, avoiding shell history exposure, or preferring safer secret storage. In a smart-home control skill, this token grants broad control over devices and visibility into home state, so poor handling meaningfully increases the chance of credential theft and unauthorized home access.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The description presents the skill as a convenience integration but does not warn that it can actively change device state, trigger scenes, and manage automations in a real home environment. In this context, omission matters because users may invoke the skill without appreciating that it can unlock disruptive or safety-relevant actions affecting lights, climate, and other connected devices.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup instructions direct users to create and source a local file containing a long-lived Home Assistant token, but provide no warning that this credential grants persistent API access to the smart-home environment. If the file is exposed through weak filesystem permissions, shell history, backups, or later command output, an attacker could control or monitor the home environment.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
When an existing configuration is found, the script prints the first 20 characters of the Home Assistant bearer token to the terminal. Exposing even a partial API token increases the risk of credential disclosure through shoulder surfing, terminal logs, screenshots, or shell session recording, especially because this token grants smart-home control access.

Credential Access

High
Category
Privilege Escalation
Content
## Prerequisites

- Home Assistant instance running (local or remote)
- Long-lived access token from HA profile
- Network connectivity to HA instance
- Python 3 with `requests` module
Confidence
90% confidence
Finding
access token

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.