Back to skill
Skillv1.0.0
VirusTotal security
HA Skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 8, 2026, 12:11 AM
- Hash
- 8b1f683a0d044094cfee6c2933e992d46705117f68a2df840da1e2fcac7bd4a3
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ha-skill Version: 1.0.0 The Home Assistant skill provides functional integration for controlling smart home devices but contains significant security vulnerabilities in its implementation. Specifically, scripts/light.sh and scripts/switch.sh use manual string concatenation and sed to construct JSON payloads for API calls rather than using jq, which creates a risk of injection if entity IDs or parameters are maliciously crafted. While the behavior is consistent with the stated purpose, these vulnerabilities in input handling and JSON construction meet the threshold for a suspicious classification.
- External report
- View on VirusTotal