Home Assistant

v1.0.5

Connect Home Assistant to OpenClaw via OAuth 2.0 through Selora Connect. Authenticate and use Selora AI tools to inspect your home, create automations, and a...

⭐ 2· 189·0 current·0 all-time

byPhilippe Lafoucrière@lafoush

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for lafoush/homeassistant-selora.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Home Assistant" (lafoush/homeassistant-selora) from ClawHub.
Skill page: https://clawhub.ai/lafoush/homeassistant-selora
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install homeassistant-selora

ClawHub CLI

Package manager switcher

npx clawhub@latest install homeassistant-selora

Security Scan

Capability signals

Requires OAuth tokenRequires sensitive credentials

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

The SKILL.md describes connecting Home Assistant to OpenClaw through Selora Connect and the file edits/CLI commands, OAuth flow, and described read/write toolsets all align with that purpose. There are no unrelated binaries, env vars, or external services requested beyond the Selora endpoints and the OpenClaw config.

ℹ

Instruction Scope

The instructions tell the operator to edit ~/.openclaw/openclaw.json, restart the gateway, and complete an OAuth flow in-browser — all expected for this integration. The skill documents mutating tools (create/accept/delete automations, trigger scans) and enforces user-confirmation safety rules; however, the actual enforcement of those rules depends on the platform. Verify that mutating actions require explicit admin authorization before use.

✓

Install Mechanism

There is no install spec and no code files; this is instruction-only. That minimizes install risk because nothing is downloaded or written by the skill itself.

✓

Credentials

No environment variables, credentials, or config paths are requested by the skill. OAuth is performed dynamically via the MCP endpoint and Selora Connect, which is an expected design for this integration.

ℹ

Persistence & Privilege

The skill is not marked always:true. It allows autonomous model invocation by default (the platform default). Because the skill exposes mutating operations, ensure the platform or user enforces the documented safety confirmations before the agent performs changes on your Home Assistant.

Assessment

This skill is internally consistent for connecting Home Assistant to OpenClaw via Selora Connect, but before installing you should: (1) confirm you trust Selora Connect and the selorabox remote tunnel (exposing a remote MCP URL exposes access paths to your HA instance); (2) verify HTTPS/TLS and the exact mcp-<id>.selorabox.com host shown by Selora Connect; (3) be aware OpenClaw will dynamically register an OAuth client and store access/refresh tokens — revoke access in Selora Connect if you want to disconnect; (4) ensure platform-level enforcement of the SKILL.md safety rules (explicit confirmations for mutating actions) because the instructions allow creating/enabling/deleting automations and triggering scans; and (5) test locally first (use local MCP URL) before enabling remote access. If you need higher assurance, ask for the origin/maintainer of this skill and confirmation that the platform enforces the documented admin confirmation checks.

Like a lobster shell, security has layers — review code before you run it.

latestvk97989xhqvypg81gb8fjqnh5zd84y03g

189downloads

2stars

6versions

Updated 1w ago

v1.0.5

MIT-0

Home Assistant MCP Setup

Connect your Home Assistant to OpenClaw. Authentication is handled via OAuth 2.0 through Selora Connect — no manual tokens needed.

Prerequisites

Home Assistant 2025.1+ with the Selora AI integration installed.
A Selora Connect account with your HA installation linked.
OpenClaw installed.

1. Get Your MCP URL

Access	URL
Local	`http://homeassistant.local:8123/api/selora_ai/mcp`
Remote	`https://mcp-<id>.selorabox.com/api/selora_ai/mcp`

Your remote MCP URL (including your mcp-<id>) is shown in Selora Connect once MCP remote access is enabled. Enable it to provision a SeloraBox tunnel URL.

Use your HA IP (e.g. 192.168.x.x) instead of homeassistant.local if mDNS is slow.

2. Add the MCP Server

Add the server via the CLI:

openclaw mcp set home-assistant '{"url":"https://mcp-<id>.selorabox.com/api/selora_ai/mcp"}'

Or edit ~/.openclaw/openclaw.json directly:

{
  "mcp": {
    "servers": {
      "home-assistant": {
        "url": "https://mcp-<id>.selorabox.com/api/selora_ai/mcp"
      }
    }
  }
}

For local access, use http://homeassistant.local:8123/api/selora_ai/mcp as the URL.

3. Authenticate

Restart the OpenClaw gateway after editing the config.
Use any tool from the server (e.g. ask "Get a snapshot of my home"). OpenClaw connects and receives a 401 Unauthorized.
OpenClaw surfaces an authorization URL. Open it in a browser.
Approve access on the Selora Connect consent screen.
The browser redirects back to OpenClaw's callback to complete the exchange.
Tokens are cached and refresh silently from then on.

The callback must reach OpenClaw's listener. If the browser and OpenClaw are on the same machine, the redirect completes automatically. If they are on different machines, see Cross-device callback mismatch below.

4. Verify

Ask your agent: "Get a snapshot of my home". You should see selora_get_home_snapshot return your entities grouped by area.

Available Tools

Read tools:

Tool	Description
`selora_get_home_snapshot`	Entity states grouped by area — call this first
`selora_list_automations`	Selora automations with status and risk (filterable)
`selora_get_automation`	Full detail: YAML, versions, risk
`selora_validate_automation`	Validate and risk-assess YAML without creating
`selora_list_sessions`	Recent chat sessions
`selora_list_patterns`	Detected behavior patterns
`selora_get_pattern`	Full pattern detail with linked suggestions
`selora_list_suggestions`	Proactive suggestions with YAML previews

Mutating tools (🔒 require admin authorization):

Tool	Description
`selora_chat` 🔒	Natural-language chat — proposes automations with YAML and risk
`selora_create_automation` 🔒	Create automation from YAML (disabled by default)
`selora_accept_automation` 🔒	Enable a pending automation
`selora_delete_automation` 🔒	Delete permanently
`selora_accept_suggestion` 🔒	Create automation from a suggestion
`selora_dismiss_suggestion` 🔒	Dismiss a suggestion
`selora_trigger_scan` 🔒	Trigger immediate suggestion scan (rate-limited 60s)

Workflows

Explore your home

selora_get_home_snapshot — understand entities and areas.
selora_list_automations / selora_get_automation for existing automations.

Create from YAML

selora_validate_automation — check YAML and surface risk.
Show normalized YAML + risk, ask user confirmation.
selora_create_automation with enabled=false.
selora_accept_automation after explicit approval.

Create from natural language

selora_chat — describe what you want; Selora returns YAML + risk.
Summarize risk, ask user confirmation.
selora_create_automation or selora_accept_automation.

Act on suggestions

selora_list_suggestions (optionally selora_trigger_scan first).
Show suggestion details, ask user confirmation.
selora_accept_suggestion or selora_dismiss_suggestion.

Safety Rules

Never invent IDs — resolve from tool output only.
Never mutate without explicit user confirmation.
Always surface risk_assessment before mutating. High or missing risk requires a second confirmation.
Create automations disabled by default.
Do not skip validation for externally provided YAML.

How OAuth Works

OpenClaw discovers Connect's OAuth server from the MCP endpoint's .well-known/oauth-authorization-server metadata.
OpenClaw registers itself dynamically (POST /oauth/register).
OpenClaw starts an authorization code flow with PKCE and surfaces an authorization URL.
You open the URL and approve access on the Selora Connect consent screen.
OpenClaw exchanges the code for access + refresh tokens.
Tokens refresh automatically — no re-auth needed until you revoke access.

On 401 Unauthorized, OpenClaw reads the WWW-Authenticate header, attempts a token refresh, and falls back to a full OAuth flow if refresh fails. No manual re-configuration is needed.

Troubleshooting

Symptom	Fix
`401 Unauthorized` (auth URL shown)	Open the authorization URL, approve access on Selora Connect, and the flow completes automatically. If refresh fails later, OpenClaw triggers a new flow.
`401 Unauthorized` loop (no auth URL shown)	OpenClaw's native OAuth flow is not surfacing the authorization URL — check gateway logs for `401`, auth URL emission, and MCP startup failures. See Debugging with mcp-remote below.
Connection refused	Verify HA is running and URL is correct
Timeout	Check firewall; for remote, ensure SeloraBox tunnel is active
Tools not listed	Ensure Selora AI integration is installed and enabled
Admin tools rejected	Selora Connect role must be `owner` or `member` (not `viewer`)

Cross-device callback mismatch

The OAuth redirect targets localhost on the machine running OpenClaw. If your browser is on a different machine (e.g. OpenClaw on a server, browser on a laptop), the callback cannot reach OpenClaw's listener and the flow fails silently.

As a fallback, ask the user to copy the full callback URL (including the code and state parameters) from their browser's address bar after approving, and paste it back so the agent can complete the token exchange.

Debugging with mcp-remote

If OpenClaw keeps returning 401 without surfacing an authorization URL, use mcp-remote (requires Node.js 18+) to isolate the problem. It is not part of the normal setup — only a debugging tool.

npx -y mcp-remote https://mcp-<id>.selorabox.com/api/selora_ai/mcp

This helps verify the endpoint supports OAuth correctly and that the token exchange works end-to-end. If mcp-remote completes the flow successfully, the endpoint is working — the issue is in OpenClaw's OAuth runtime, not your HA setup.

Comments

Loading comments...