Back to skill

Security audit

Home Assistant

Security checks across malware telemetry and agentic risk

Overview

This Home Assistant skill is mostly coherent, but it gives an agent broad smart-home control, including arbitrary service calls, without clear safety limits or confirmation guidance.

Install only if you are comfortable giving the agent broad Home Assistant authority. Use a least-privilege Home Assistant token if possible, avoid exposing locks, alarms, garage doors, and sensitive scripts to generic service calls, and require explicit confirmation before actions with physical, security, or privacy impact.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
This is a mismatch because the description explicitly says the skill supports bidirectional communication including inbound webhook events, but the provided code contains no webhook listener or inbound trigger handling at all. The code does match much of the outbound control functionality described: turning entities on/off, toggling, activating scenes, running scripts, triggering automations, setting climate temperature, and querying state via the Home Assistant REST API. However, it also exposes broader capabilities not mentioned in the description, especially generic arbitrary service invocation (`call`), entity discovery/search, and HA instance info retrieval. The most significant discrepancy is that the declared webhook/inbound behavior is absent from the actual code.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The `call` command allows arbitrary Home Assistant service invocation across any domain and service, which is broader than the described control surface and bypasses the safer, purpose-specific wrappers implemented elsewhere in the script. In a Home Assistant environment, arbitrary service execution can unlock doors, disable alarms, open covers, run scripts, or trigger high-impact automations, making this a real capability-expansion risk if an agent or prompt can invoke it.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This branch exposes arbitrary Home Assistant API service execution with user-supplied domain, service, and JSON payload, enabling operations well beyond lights, switches, climate, scenes, and scripts. Because Home Assistant service APIs often control security-sensitive or safety-relevant devices, this materially increases the attack surface and could be abused for unauthorized physical-world actions.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The documentation encourages direct control of physical devices, scenes, scripts, and automations without warning that these actions can have real-world consequences such as unlocking access paths, opening covers/garage doors, changing climate settings, or triggering chained automations. In a home automation context, omission of safety guidance increases the risk of accidental unsafe operation or abuse through overbroad use.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The webhook section instructs users to send Home Assistant event data to an external Clawdbot endpoint without warning that occupancy, motion, room names, and other automation data may leave the local home environment. In a smart-home context this can expose sensitive behavioral and presence information, and the example authorization scheme does not discuss secure secret management, rotation, or minimization of transmitted data.

Credential Access

High
Category
Privilege Escalation
Content
Environment:
  HA_URL    Home Assistant URL (required)
  HA_TOKEN  Long-lived access token (required)

Examples:
  ha.sh on light.living_room 200
Confidence
70% confidence
Finding
access token

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.