Back to skill
Skillv1.0.2
VirusTotal security
Home Assistant · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
BenignApr 30, 2026, 4:03 AM
- Hash
- 9aa100beb291c642c4b9a7839dbd7546968bfe579d402a2f06121612f2f02662
- Source
- palm
- Verdict
- benign
- Code Insight
- Type: OpenClaw Skill Name: ha-ultimate Version: 1.0.2 The skill is designed for Home Assistant control, requiring HA_URL and HA_TOKEN as expected for its functionality. It implements multiple safety features, including explicit instructions for the AI agent to confirm critical actions with the user, a `blocked_entities.json` file for hard-blocking entities, and an interactive `warn_critical` prompt in `scripts/ha.sh`. There is no evidence of intentional malicious behavior such as data exfiltration, persistence mechanisms, or unauthorized remote code execution. While some shell commands embed user-provided strings into JSON payloads without explicit JSON escaping (e.g., `entity_id` in `scripts/ha.sh`), this is a minor input sanitization vulnerability that would likely result in an API error rather than shell injection or arbitrary code execution, and does not indicate malicious intent.
- External report
- View on VirusTotal