Home Assistant Integration

This skill plausibly does what it says (talks to Home Assistant) but there are mismatches and a few operational risks you should address before installing: - Expect to provide HOME_ASSISTANT_URL and a long‑lived HOME_ASSISTANT_TOKEN; the registry metadata should have declared these but didn't. Treat the token as sensitive. - Prefer storing the token in the platform's secure secrets store rather than committing it to files. If you must use openclaw.json, ensure that file is access‑restricted. - The SKILL.md falls back to reading ~/.openclaw/workspace/.secrets/home_assistant.token — check that path and contents and be cautious about any skill that reads files in your workspace. - The README links to a GitHub repo with install.sh and fix scripts. Do NOT run those scripts without reviewing them. Inspect any install.sh / fix-token-config.sh for unsafe operations (network calls, credential exfiltration, sudo/systemctl commands) before executing. - Create a least‑privileged HA long‑lived token (only the scopes needed) rather than using a full admin token. - Avoid setting HOME_ASSISTANT_SSL_VERIFY=false unless you understand the implications; better to provide a CA cert path (HOME_ASSISTANT_CA_CERT) if you use self‑signed certs. - Ask the skill author/registry maintainer to update the skill metadata to declare required env vars and config paths so the credential needs are transparent. If you want to proceed: review the external GitHub repo and any scripts, create a scoped HA token, store it securely, and only then enable the skill.