Home Assistant
v1.0.0Control Home Assistant smart home devices, run automations, and receive webhook events. Use when controlling lights, switches, climate, scenes, scripts, or any HA entity. Supports bidirectional communication via REST API (outbound) and webhooks (inbound triggers from HA automations).
⭐ 40· 16k·198 current·212 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description and provided scripts (scripts/ha.sh) align with a Home Assistant controller: it uses HA_URL and HA_TOKEN to call HA REST endpoints, control entities, and trigger automations. However, registry metadata claims no required binaries or env vars while SKILL.md and the script clearly require curl and jq and expect either a config file (~/.config/home-assistant/config.json) or HA_URL/HA_TOKEN environment variables.
Instruction Scope
SKILL.md stays within the stated purpose (calling HA REST API and describing webhook usage). It directs creating a plaintext config file in the user's home or setting HA_URL/HA_TOKEN env vars and documents inbound webhook configuration from HA. It does not instruct the agent to read unrelated system files. Caveat: it presumes the platform will accept inbound webhooks at a public URL ("your-clawdbot-url"), but the skill does not provide safe guidance for exposing an agent or how webhook authentication/verification should be handled.
Install Mechanism
No install spec is present; this is instruction-only with a small included bash script. There is no external download/extract step. Risk from installation mechanics is low.
Credentials
The skill requires a long‑lived Home Assistant token (HA_TOKEN) and HA_URL for operation and depends on jq and curl, but the registry metadata lists no required env vars or binaries. That mismatch is suspicious because sensitive credentials are needed but were not declared as required in the registry metadata. Also the SKILL.md recommends storing a long‑lived access token in a plaintext file in the user home, which is a reasonable but sensitive practice that users should be aware of.
Persistence & Privilege
always: false and model invocation is allowed (normal). The skill does not request system-wide configuration changes or attempt to modify other skills. It reads/writes only its own config path (~/.config/home-assistant/config.json).
What to consider before installing
This skill appears to be a straightforward Home Assistant CLI, but there are some mismatches you should consider before installing: (1) The skill uses curl and jq and requires HA_URL and HA_TOKEN, yet the registry metadata doesn't declare those requirements — treat that as a red flag and confirm you understand what secrets the skill needs. (2) It recommends storing a long‑lived access token in ~/.config/home-assistant/config.json (plaintext in your home directory) — ensure the file permissions are locked (e.g., 600) and you are comfortable storing such a token there. (3) The SKILL.md explains receiving inbound webhooks to a "clawdbot" URL; if you plan to enable that, verify how the agent runtime exposes webhook endpoints, ensure the webhook URL is not publicly exposing sensitive controls, and require authentication/verification on inbound requests. (4) Because the skill's source/homepage is unknown, prefer installing only if you can audit the included script (scripts/ha.sh) yourself or if you trust the publisher. If you want to proceed, verify jq and curl are installed, create the config file with restrictive permissions, and consider using a short‑lived or limited token if possible. If you need higher assurance, ask the publisher for authoritative source and a homepage or inspect the script line‑by‑line (it is small and readable).Like a lobster shell, security has layers — review code before you run it.
latestvk97fn33c7a8tev0jraxpyjky7n80230c
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🏠 Clawdis
Binsjq, curl