Back to skill

Security audit

py-homeassistant-cli

Security checks across malware telemetry and agentic risk

Overview

This is a powerful but openly documented Home Assistant command-line skill that can read and control smart-home data when given a Home Assistant token.

Install only if you want an agent to access and control your Home Assistant instance. Protect HA_TOKEN carefully, prefer the least-privilege Home Assistant credentials available, avoid passing tokens on the command line when possible, and require explicit approval for security devices, locks, garage/gate actions, automation changes, generic service calls, presence/calendar/history/logbook queries, notifications/TTS, and vehicle-location commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares environment-variable and network-based operation in metadata, but the file does not clearly declare corresponding permissions/constraints despite requiring access to HA_URL and HA_TOKEN and making REST calls to a Home Assistant instance. This matters because the skill can read sensitive home-state data and perform actions against physical devices, so missing or unclear permission declaration weakens user understanding and review controls.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The stated description frames the skill as a small device-control CLI, but the documented behavior is materially broader: it supports arbitrary service calls, template evaluation, history/logbook access, calendar access, notifications, presence/location queries, and Tesla-specific telemetry. This mismatch can cause users or higher-level agents to invoke the skill with insufficient caution, exposing private household data or enabling more powerful actions than the description suggests.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The skill presents itself as a small device-control CLI, but it also includes broad enumeration and arbitrary API execution primitives such as generic service invocation, template evaluation, and extensive state inspection. That capability expansion increases abuse potential because a user may grant a high-privilege Home Assistant token expecting limited automation control while the tool can query sensitive data or perform much broader actions.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The hard-coded Tesla commands expose vehicle-specific battery, location, destination, and automation information that is unrelated to a generic Home Assistant CLI description. In skill context, this is more dangerous because it silently adds targeted tracking functionality that could reveal sensitive movement patterns and vehicle whereabouts to anyone running the tool with a valid token.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The arbitrary template command lets the caller submit any Jinja template to Home Assistant's template API, which is broader than simple device control and can be used for sensitive introspection across entities, areas, people, and metadata. In this skill context, that hidden breadth materially increases the amount of information that can be queried with the same token.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation guidance is broad enough that an agent may use this skill for generic smart-home requests without strong guardrails, while the skill can affect locks, alarms, covers, automations, notifications, and arbitrary Home Assistant services. Although the document includes some safety rules, they are narrow and do not cover all sensitive operations such as arbitrary service calls, presence/history access, templates, or privacy-sensitive telemetry.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The presence command enumerates person and device_tracker entities and prints occupancy information without any indication that the output may be highly sensitive. In a smart-home context, exposing who is home or away can create real privacy and physical security risks if logs, terminals, or command output are observed by others.

Missing User Warnings

High
Confidence
94% confidence
Finding
The Tesla location and destination commands print precise latitude and longitude, which are highly sensitive and can directly reveal vehicle location, travel plans, and routines. In the context of a home automation CLI, this is especially dangerous because the feature is not clearly justified by the stated scope and could surprise users who only expected basic device control.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.