Itsyhome Control
v1.0.1Control and query HomeKit and Home Assistant smart home devices via the Itsyhome macOS app (https://itsyhome.app). Use when the user asks to turn devices on/...
⭐ 0· 578·0 current·0 all-time
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the behavior in SKILL.md: all actions are implemented as HTTP calls to a local Itsyhome webhook (http://localhost:8423) or via the itsyhome:// URL scheme. The prerequisites (Itsyhome Pro with webhooks enabled on the same Mac) are consistent with the stated purpose and no unrelated permissions or env vars are requested.
Instruction Scope
Runtime instructions are limited to local HTTP requests (localhost) and the macOS URL scheme. That is expected for a local-homecontrol skill. However, the API reference exposes debug endpoints (e.g., /debug/raw, /debug/cameras) and a raw HomeKit dump which can surface sensitive device/camera data — the SKILL.md does not require calling these, but they are available and could be invoked, so consider whether use of debug endpoints is acceptable.
Install Mechanism
No install spec or code files — instruction-only. Nothing will be written to disk or downloaded by the skill itself.
Credentials
The skill requires no environment variables, credentials, or config paths. Its only network interactions are to localhost (the Itsyhome webhook) or the local URL scheme, which is proportional to its function.
Persistence & Privilege
always:false and no special privileges requested. The skill can be invoked by the agent (normal platform behavior) but does not request permanent or system-wide changes.
Assessment
This skill is coherent and only talks to a local Itsyhome service or triggers the itsyhome:// URL scheme. Before installing: (1) ensure Itsyhome Pro and its webhook server are running only on the trusted Mac and that you intentionally enabled Webhooks; (2) be aware the API exposes debug endpoints (raw HomeKit dumps and camera debug) that could reveal sensitive device or camera data — avoid invoking them unless needed; (3) no external credentials are requested, but the agent will issue HTTP requests to localhost, so only enable this skill for agents you trust. If you want extra safety, restrict the agent's network permissions to localhost and verify Itsyhome's webhook settings (disable debug endpoints or require app-level confirmation if possible).Like a lobster shell, security has layers — review code before you run it.
latest
Itsyhome Control
Itsyhome exposes a local HTTP webhook server (default port 8423) and a URL scheme (itsyhome://).
Prerequisites: Itsyhome Pro, webhook server enabled in Settings → Webhooks.
Core Pattern
All control and query happens via curl http://localhost:8423/<action>/<target>.
- Targets use
Room/Deviceformat or justDeviceName - Spaces →
%20in URLs - On success:
{"success": true}or JSON data - On failure:
{"error": "..."}with HTTP 4xx
Workflow
- If target is ambiguous →
curl http://localhost:8423/list/devicesto find exact names - To check current state →
curl http://localhost:8423/info/<target> - To control → appropriate action endpoint (see references/api.md)
- Confirm to user with what was done; include state if queried
Quick Reference
# Status
curl http://localhost:8423/status
# List
curl http://localhost:8423/list/rooms
curl http://localhost:8423/list/devices
curl http://localhost:8423/list/devices/Kitchen
# Query
curl http://localhost:8423/info/Office/Spotlights
# Control
curl http://localhost:8423/toggle/Office/Spotlights
curl http://localhost:8423/on/Kitchen/Light
curl http://localhost:8423/brightness/50/Bedroom/Lamp
curl http://localhost:8423/scene/Goodnight
For the full endpoint list, all control actions, and URL scheme reference: see references/api.md.
Comments
Loading comments...