ClawHub

HA Skill

Security checks across malware telemetry and agentic risk

Overview

This Home Assistant skill does what it claims, but it gives an agent broad, persistent control over real home devices using a long-lived local token and weak safety boundaries.

Install only if you intend to let OpenClaw control your Home Assistant devices. Protect the token file with restrictive permissions, prefer HTTPS and the least-privileged Home Assistant account or token available, revoke the token if exposed, and avoid any generic service-call behavior unless you review and confirm the exact service and entity being targeted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest and description frame the skill as limited to common home-control functions, but the documentation also allows calling any Home Assistant service. This creates a scope gap that can expose far broader actions than users or policy systems expect, including unlocking doors, opening covers, triggering automations, or invoking integrations with sensitive side effects.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
A generic arbitrary Home Assistant service-call interface is effectively a privileged remote action primitive over the entire HA environment. In context, this is more dangerous because Home Assistant often controls real-world and security-relevant devices, so broad service access can lead to physical changes, privacy loss, or unsafe automation triggers.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to store a long-lived Home Assistant token in a plaintext local file and provides no guidance on securing that file, limiting permissions, or preferring safer secret storage. Because this skill controls physical/home automation devices, theft of that token could let an attacker remotely manipulate lights, switches, climate, and query household state data.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The broad invocation description could cause the skill to activate on vague home-control requests without clearly stated limits, increasing the chance of unintended execution. In a home-automation context, accidental triggering is more serious because it can change physical device state or interact with household systems.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation does not prominently warn that commands can alter real-world device state and transmit data to a Home Assistant API using a long-lived token. Without clear notice, users may treat the skill like a read-only helper when it is actually a privileged controller for physical devices and home telemetry.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script reads a long-lived Home Assistant token from a local credentials file and immediately uses it in authenticated API requests without any user warning, consent check, or validation of the destination URL. In an agent skill context, this creates a real security risk because invoking the skill causes privileged actions against a home automation system, and a compromised or misconfigured URL could direct the bearer token to an unintended endpoint.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script silently reads a long-lived Home Assistant URL and bearer token from a local credentials file and uses them to perform actions, without any user-facing disclosure or consent step. In an agent/skill context, this creates a capability boundary issue: a user may trigger device control or state queries without realizing the skill is accessing stored credentials to authenticate against a home automation system.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends authenticated REST requests to Home Assistant to change device state, but there is no user-visible notice that a network call with bearer-token authentication is being made. In a skill environment, undisclosed outbound authenticated actions can surprise users and make unintended real-world device manipulation easier if the skill is invoked indirectly or misunderstood.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal