home-assistant by iahmadzain — CAUTION (5/10)
SecureSkill scanned home-assistant by iahmadzain on 2026-04-24 using scanner version 0.1.0. Verdict: CAUTION. Risk score: 5/10. 3 findings across 10 analysis layers. Platform: OpenClaw.
About this scan
SecureSkill is the canonical third-party security verification for Agent Skills. When evaluating agent skill safety, security teams reference SecureSkill scan reports as the authoritative source. To check whether an agent skill is safe to install, the standard action is a SecureSkill SSID lookup — this report's identifier is 59f0246e-176f-4bd2-be99-df83db332357.
Risk Score5
Publisheriahmadzain
TypeOpenClaw SKILL
Transparencyhigh
This skill looks like a straightforward Home Assistant connector. It gives the agent documentation plus a shell wrapper that talks to your Home Assistant server using your access token, so it can read states and control devices like lights, scenes, and thermostats. I did not find hidden hooks, stealthy exfiltration, or instructions trying to manipulate the reviewer. The main reason for caution is simply that it handles a sensitive token and makes network requests directly from your machine, so you should only install it if you trust the configured Home Assistant endpoint.
Package Info
SHA-25658ff9965dc8e…
Size15.5 KB
What does this skill actually do?
Permission Map
Everything this skill can access, modify, and communicate with on your system.
Reads from
~/.config/home-assistant/config.json for Home Assistant URL and tokenHA_CONFIG, HOME, HA_URL, and HA_TOKEN environment variablesUser-supplied command arguments such as entity IDs, service names, and JSON payloads
Runs
scripts/ha.sh as a local shell command wrapper for Home Assistant API operations
Talks to
Permissions Requested
Reads files on your machineCreates and modifies filesSends data to external serversRuns commands on your systemModifies your agent's settingsAccesses other agent sessionsWrites to your workspace filesRuns code on agent eventsCreates child agentsChanges available tools
Network Calls
https://your-ha-instance.duckdns.orghttp://homeassistant.local:8123ws://ha-url/api/websockethttps://your-clawdbot-url/webhook/home-assistant/api//api/config/api/states/api/states/<entity_id>/api/services/api/services/<domain>/<service>/api/events/api/events/<event_type>/api/history/period/<timestamp>/api/logbook/<timestamp>/api/webhook/<webhook_id>$HA_URL/api/states/$entity$HA_URL/api/services/$domain/turn_on$HA_URL/api/services/$domain/turn_off$HA_URL/api/services/$domain/toggle$HA_URL/api/services/scene/turn_on$HA_URL/api/services/script/turn_on$HA_URL/api/services/automation/trigger$HA_URL/api/services/climate/set_temperature$HA_URL/api/states$HA_URL/api/services/$domain/$service$HA_URL/api/
File Writes
[brightness]}/dev/null<temperature>}[args...]