Skillv1.0.2

ClawScan security

Home Assistant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 16, 2026, 12:37 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly matches its Home Assistant purpose, but there is a clear mismatch between the documented safety requirement (agent must confirm critical actions) and the CLI script's behavior which can allow critical actions to proceed in non-interactive contexts — this creates a real risk if the agent is allowed to invoke the skill autonomously.
Guidance: This skill is coherent with a Home Assistant CLI wrapper, but do not install it without addressing the safety issue and taking precautions: - Do not hand HA_TOKEN to untrusted agents. A long-lived token gives full access to your Home Assistant instance. - The script attempts interactive confirmation for locks, alarms, and garage covers, but in non-interactive contexts the confirmation can be bypassed (the read falls back and allows the action). If you plan to allow autonomous agent invocation, fix the script before use (example: make the script abort when stdin is not a TTY or treat a failed read as denial). Example fix: replace `read -r -p "Confirm? " response 2>/dev/null || return 0` with logic that exits on non-interactive input (e.g., `if ! [ -t 0 ]; then echo "Non-interactive: cancelling"; exit 1; fi; read -r -p ...`). - Use blocked_entities.json to hard-block any security-sensitive entities (main breaker, front door locks, garage door) and verify it is in place and correct. - Keep .env and $HOME/.config/homeassistant/config.json permissions restrictive (chmod 600) and do not commit them to source control. - Test all commands manually from a terminal before letting an agent call them; run inventory generation locally so ENTITIES.md is accurate. - If you cannot patch the script, avoid granting the skill autonomous invocation rights or avoid providing HA_TOKEN in environments where the agent can call the CLI non-interactively. If the author provides a patched version that forces explicit confirmation or fails safely in non-interactive modes, the coherence concerns would be resolved.

Review Dimensions

Purpose & Capability: okName, description, required environment variables (HA_URL, HA_TOKEN), and required binaries (curl, jq) align with a Home Assistant REST API wrapper. Node.js is optional for inventory generation and is marked as optional.
Instruction Scope: concernSKILL.md explicitly requires the agent to confirm critical actions before invoking commands. The shipped CLI (scripts/ha.sh) implements safety checks and an optional blocked_entities.json, but warn_critical uses an interactive read that falls back with `read ... || return 0` — in non-interactive environments this causes the function to return success without explicit confirmation, allowing critical actions to proceed. This is inconsistent with the stated workflow and dangerous if the agent invokes the script non-interactively.
Install Mechanism: okNo install spec — instruction-only + included scripts. No network downloads, no archive extraction. Risk from install mechanism itself is low.
Credentials: noteOnly HA_URL and HA_TOKEN are required, which is appropriate. The skill reads .env and $HOME/.config/homeassistant/config.json (both declared in metadata), which may expose a token if present there — the README/skill warns to protect those files. The number and nature of env vars requested are proportionate to the functionality.
Persistence & Privilege: concernalways:false and no persistent installation are appropriate. However, because the platform allows autonomous invocation (disable-model-invocation:false) and the skill is given direct access to HA_TOKEN, the ability to invoke actions autonomously combined with the non-interactive bypass bug increases the blast radius. This combination is notable and requires user caution.