Back to skill

Security audit

xiaomi-home-assistant-skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Home Assistant smart-home integration, but it can send real commands to physical devices using a user-provided token.

Install only if you are comfortable giving this skill a Home Assistant long-lived access token that may control lights, switches, curtains, speakers, and other mapped devices. Use the least-privileged token available, keep the Home Assistant URL trusted and preferably HTTPS/local, review all entity IDs and scenario methods before enabling, and avoid mapping sensitive devices unless you want the agent to control them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill documentation states specific capabilities such as reading local configuration files and making Home Assistant network calls, yet the static finding indicates permissions are not properly declared. Undeclared file and network capabilities undermine permission transparency and can lead users or hosting platforms to grant trust without understanding the actual access required. In a smart-home context, file reads may expose tokens and network access can reach privileged home-automation APIs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill presents itself primarily as a monitoring and advisory integration with in-memory-only processing, but the described behavior includes active device control, scene execution, natural-language command mapping, and reading configuration/token files from disk. This mismatch is security-relevant because users may authorize the skill expecting passive observation while it can perform state-changing actions in the home, including controlling lights, curtains, and automations through Home Assistant. The misleading privacy claim also obscures the fact that sensitive credentials are stored and read from disk.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The skill performs active Home Assistant service calls that can directly control physical devices, while the declared skill scope emphasizes monitoring, status queries, and alerts. This mismatch is dangerous because users or platform reviewers may grant trust or permissions under the assumption of read-oriented behavior, yet the code can issue state-changing commands to switches and covers.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The scenario methods bundle multiple device-control actions into automations such as turning switches on/off and opening or closing curtains. In the context of a skill described as providing monitoring and intelligent suggestions, these hidden multi-step automations materially expand operational power and could surprise users or be abused to manipulate the home environment.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README documents active device-control behavior such as turning on lights and voice-controlling smart speakers, but it does not clearly warn users that invoking the skill may change the physical state of devices in their home. In a home-automation context, undocumented actuation increases the risk of unintended commands affecting safety, privacy, comfort, or energy usage, especially if users assume the skill is monitor-only.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The 'too bright' scenario immediately closes curtains without any warning, consent, or confirmation. Unprompted physical-environment changes are risky in a home automation context because they can affect occupant safety, comfort, accessibility, or interfere with expected device behavior, especially when the skill is presented as advisory/monitoring oriented.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal