Is anotb/homeassistant-skill safe?

https://github.com/openclaw/skills/tree/main/skills/anotb/homeassistant-skill

93
SAFE

The homeassistant-skill is a documentation-only SKILL.md with no executable code, no install-time side effects, and no prompt injection or exfiltration vectors. The skill is clean from a supply chain and static analysis perspective; all credential file accesses observed in monitoring are attributable to the audit system's canary setup phase rather than the skill itself. The primary risk is inherent to the skill's purpose: it provides LLM-mediated control of physical security devices (locks, alarms, garage doors) and household presence tracking, where the only safety guardrails are behavioral instructions to the agent rather than technical restrictions.

Category Scores

Prompt Injection 94/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (6)

MEDIUM Physical security actuator access (locks, alarms, garage doors) -15

The skill provides direct REST API access to physical security devices. Safety confirmation requirements exist as behavioral instructions in the skill text, but have no technical enforcement. A prompt injection attack reaching the agent from any external input source (email, document, web page) could bypass these soft guardrails and actuate physical access controls without user confirmation.

MEDIUM Real-time household occupancy disclosure via presence tracking -8

Person and device_tracker endpoints reveal home/away status and locations for all tracked people. This information is highly sensitive (burglary risk, domestic safety) and will appear in agent context/output whenever queried.

LOW Open-ended service invocation pattern without domain allowlist -6

The generic 'Call Any Service' section documents an unrestricted curl pattern for any HA domain/service combination. This is architecturally correct for a general HA skill but means no part of the skill text restricts which services the agent can invoke beyond the explicitly listed safety rules.

LOW Security automation disable capability relies on behavioral compliance -5

automation/turn_off can disable any HA automation including security-related ones. The only protection is the soft safety rule in the skill text. Automation names are discoverable via the list endpoint, enabling targeted disable requests.

INFO Canary credential files accessed during pre-clone audit setup phase -5

Honeypot credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were read-accessed at 04:42:26, before the git clone at 04:42:31. All accesses carry CLOSE_NOWRITE — no writes or modifications. Timing, process context, and the clean canary integrity result strongly indicate this is the oathe audit system verifying its own canary placement, not skill-originated access. Noted for completeness.

INFO No executable code — documentation-only skill -3

The skill contains only SKILL.md, README.md, and _meta.json. No package.json scripts, no git hooks, no submodules, no symlinks. Nothing executes at install time beyond the standard monorepo sparse-checkout.