ClawHub

Home Assistant Toolkit

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Home Assistant admin toolkit, but it needs Review because it establishes durable high-privilege access with weak consent controls and includes explicit scanner-evasion code around privileged token use.

Install only if you are comfortable granting this skill persistent SSH and long-lived API control over your Home Assistant instance. Use a dedicated revocable SSH key and token, avoid exposing SSH beyond a trusted network or VPN, review the scripts before use, and require manual confirmation before restore, backup deletion, restart, dashboard apply, or arbitrary service calls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The onboarding flow instructs the agent to read or silently generate an SSH key on the agent machine, then use that key to obtain access to the user's Home Assistant host. That exceeds normal Home Assistant assistance and creates persistent infrastructure-level access from the agent environment to the user's system, which is highly sensitive and unnecessary for many support scenarios.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill directs the agent to modify the local OpenClaw configuration file and persist Home Assistant credentials there automatically. Reconfiguring the agent environment and storing secrets is outside the narrow task of answering Home Assistant questions and increases the blast radius if the skill is abused or misfires.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The comment explicitly states that token handling is written so a preflight scanner 'does not see' a literal variable reference, which is classic scanner-evasion behavior. Even though the runtime behavior still targets legitimate Home Assistant APIs, deliberately concealing sensitive-token usage from security review undermines trust and can hide more serious abuse in agent tooling with privileged SSH and API access.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code concatenates '$' and 'SUPERVISOR_TOKEN' solely to avoid static detection, and the adjacent comment confirms this purpose. In a skill that already has broad Home Assistant management and SSH privileges, this kind of concealment materially increases the risk of covert credential use and makes auditing harder.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The header comments describe limited file access and imply constrained behavior, but the script also exposes a generic `get` command that can retrieve arbitrary Home Assistant API endpoints. This creates a documentation-to-capability mismatch that can mislead downstream agents or users into granting broader access than they expect, increasing the chance of sensitive data exposure.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The `get` subcommand provides unrestricted access to arbitrary Home Assistant REST endpoints, which is broader than the described management operations and can expose configuration, state, diagnostics, or other sensitive platform data. In an agent context, this materially increases the blast radius because a prompt-driven agent can be induced to query endpoints never intended by the skill’s stated scope.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code explicitly constructs the SUPERVISOR_TOKEN reference by concatenation and states this is done so a preflight scanner will not detect the literal variable name. That deliberate evasion strongly indicates intent to bypass security review while accessing a highly privileged credential for remote API calls.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The inline comment admits the token concatenation exists to avoid scanner detection, which directly contradicts the stated benign purpose of merely scanning integrations. In a security-sensitive agent skill, concealment of privileged token access materially increases risk because it defeats review and hides sensitive behavior.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises restore and dashboard apply capabilities that can directly modify or overwrite Home Assistant configuration, but it provides no caution about destructive effects, confirmation requirements, or rollback expectations. In a skill designed for remote full-management over SSH, omission of such warnings increases the chance of unsafe operator use and unintended service disruption or configuration loss.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to store a Home Assistant long-lived access token and SSH connection details in configuration without warning that these are high-value secrets. Exposure of the token or SSH access could grant broad control over devices, automations, backups, and configuration, making this especially sensitive in a home automation skill with full administrative access.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The invocation criteria are extremely broad, telling the system to use the skill whenever the user mentions many common Home Assistant-related topics. That increases the chance of accidental activation in benign conversations, which is especially dangerous because this skill has instructions for SSH access, file changes, and credential collection.

Vague Triggers

Low
Confidence
84% confidence
Finding
The re-scan trigger phrases are vague and can cause the skill to perform networked actions and local file writes based on casual language. While lower severity than the onboarding issues, this still creates unnecessary risk because rescanning triggers multiple automated operations against the user's environment.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly tells the agent to silently inspect or create a local SSH keypair without first warning the user. Secretive local key creation is dangerous because it establishes a durable authentication artifact on the agent machine and hides a major trust decision from the user.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The auto-configuration workflow stores credentials locally and initiates SSH/API connectivity tests without a prominent consent step at the moment those actions occur. Even if the user provided connection details, silently persisting them and initiating privileged network access creates avoidable security and privacy risk.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The delete operation removes backups immediately with no built-in warning, confirmation, or dry-run safeguard in the script itself. In this skill’s context, the script is intended for remote Home Assistant administration over SSH, so an accidental invocation, agent mistake, or prompt-induced misuse could permanently delete recovery artifacts and reduce the ability to recover from outages or compromise.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The `call` command allows arbitrary Home Assistant service invocation with attacker-controlled domain, service, and JSON payload, enabling broad state-changing actions without confirmation. Because Home Assistant services can unlock doors, disable alarms, run scripts, or alter automations, this effectively grants a generic remote action primitive to any agent using the skill.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The restart command immediately triggers a Home Assistant core restart with no confirmation, delay, or safeguard. This can disrupt automations, monitoring, and device control, and in a prompt-injection or mistaken-invocation scenario it enables easy denial of service against the smart-home platform.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The SSH fallback silently accesses the supervisor token on the remote host and uses it to query internal APIs, which is privileged behavior not clearly disclosed to the user. In this skill context, hidden credential use is especially dangerous because the tool advertises broad Home Assistant management over SSH and could expose or misuse highly sensitive administrative access.

Ssd 3

High
Confidence
98% confidence
Finding
The workflow solicits a long-lived access token and then instructs the agent to retain it in local configuration for later automated use. Persistent storage of a privileged Home Assistant token materially increases the risk of credential theft, misuse, or later unintended actions against the user's smart-home environment.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill tells the agent to read its own SSH public key and embed it in a user-facing message to gain persistent SSH access to the user's Home Assistant system. Although a public key is not secret, this is still a mechanism for establishing enduring trust and remote access from the agent environment, which is highly sensitive.

Ssd 4

High
Confidence
98% confidence
Finding
The onboarding sequence builds trust through setup guidance and then culminates in granting SSH access plus a long-lived API token, followed by automated persistence and scanning. This staged flow is dangerous because it normalizes high-risk access escalation and could be repurposed to obtain durable control over the user's environment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal