Itsyhome Control
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken request, ambiguous intent, or prompt-influenced agent action could unlock a door, open a garage, or run a scene before the user has a chance to review it.
The skill documents high-impact physical control endpoints and places user confirmation after the action, with no explicit pre-approval requirement for locks, garage doors, or broad scenes.
Use when the user asks to ... lock/unlock doors, open/close garage doors ... 3. **To control** → appropriate action endpoint ... 4. **Confirm to user** with what was done
Require explicit confirmation for security-sensitive or broad actions such as unlocking doors, opening garages, changing thermostats, or running scenes; consider allowlisting safe devices/actions.
Installing the skill effectively lets the agent act through Itsyhome with whatever smart-home permissions that app already has.
The skill does not request its own credential; it uses the local Itsyhome app's already-authorized access to HomeKit/Home Assistant devices.
Requires Itsyhome Pro running on the same Mac as the OpenClaw gateway.
Install only on a trusted Mac/gateway, keep the webhook local, and review Itsyhome permissions so the agent has access only to devices you are comfortable controlling through OpenClaw.
Device lists, lock states, camera entity details, and live activity can reveal private information about the home if queried unnecessarily or included in conversation output.
The documented local API can expose broad smart-home state, raw HomeKit characteristics, camera entity metadata, and live state changes into the agent context.
curl http://localhost:8423/debug/raw # raw HomeKit dump curl -N http://localhost:8423/events # Streams Server-Sent Events with characteristic updates in real time
Use list/info/debug/event endpoints only when needed, avoid debug/raw or camera-related endpoints unless specifically requested, and do not share raw smart-home dumps outside the local task.