Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
clawd Home Assistant
v1.0.0Control Home Assistant entities via REST API. Use when the user asks to control lights, climate, switches, or other HA entities. Supports climate (thermostat...
⭐ 0· 48·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the provided scripts: climate, lights, switches, sensors and entity listing via the HA REST API. Required binaries (curl, jq) are appropriate. However, the registry metadata declared no required config paths while the SKILL.md and scripts expect a credentials file at ~/.openclaw/credentials/homeassistant.json — this config requirement is not declared in the registry metadata.
Instruction Scope
Runtime instructions and the scripts are narrowly scoped to call the Home Assistant REST API using a URL and long-lived token from the credentials file. They do not read unrelated system files or environment variables. However, SKILL.md references scripts/service.sh for generic service calls but no scripts/service.sh exists in the package — this mismatch means the documented workflow is incomplete and could cause unexpected behavior. Also the instructions ask you to store a long-lived access token in plaintext on disk (sensitive), which is expected functionally but should be acknowledged as a sensitivity risk.
Install Mechanism
No install spec is provided (scripts are present and expected to be run directly). This is the lower-risk model because nothing is downloaded or executed automatically. The package only requires standard command-line tools (curl, jq).
Credentials
The skill asks for no environment variables and instead expects a local credentials file containing the HA URL and long‑lived access token — that is proportional to the stated purpose. But the registry metadata did not declare this required config path; the token stored is sensitive (long‑lived tokens grant broad API access in HA), so the user should treat the credentials file as secret and consider revoking/regenerating the token if exposure is possible.
Persistence & Privilege
The skill is not force-included (always: false) and does not request elevated or persistent system privileges. It does not modify other skills or system-wide config. Autonomous invocation is permitted (default) but not combined with other high-risk factors here.
What to consider before installing
This package appears to implement Home Assistant REST calls as described, but review the following before installing: 1) The scripts expect a credentials file at ~/.openclaw/credentials/homeassistant.json containing your HA URL and a long‑lived access token — that path was not declared in the registry metadata; create the file only after verifying you trust the skill. 2) SKILL.md mentions scripts/service.sh for generic service calls but no such file is present in the bundle; confirm whether a missing file is an oversight or if functionality is incomplete. 3) Long‑lived HA tokens are powerful — create a token you can revoke, store it with secure file permissions, and consider rotating it after testing. 4) Because this skill comes from an unknown source, inspect the scripts locally (they are small and readable) and ensure the URL in your credentials points to your HA instance (the scripts will call whatever URL is stored). If you are uncomfortable with the missing/mismatched documentation or storing a long‑lived token, do not install or run until those issues are resolved.Like a lobster shell, security has layers — review code before you run it.
latestvk973tx4vgb5kjxhj3p8qrws5hh84ehsc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🏠 Clawdis
Binscurl, jq