Is clawhub/homeassistant-assist safe?

https://github.com/clawhub/homeassistant-assist

72
CAUTION

This skill is an empty repository containing only a .clawhub/lock.json file with a mismatched skill name ('academic-research-hub' vs 'homeassistant-assist'). While the skill itself contains no malicious code or prompt injection, the installation process triggered access to sensitive credential files (.env, .aws/credentials, auth-profiles.json) — likely platform behavior but still concerning. The empty nature combined with the name mismatch and zero functionality makes this a low-value, moderate-risk installation with potential for future update-based attacks.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 35/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 55/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (8)

CRITICAL AWS credentials file accessed during installation -30

The filesystem monitor recorded ACCESS to /home/oc-exec/.aws/credentials during the skill installation process. While this may be platform behavior rather than skill-initiated, it demonstrates that credential files are exposed during the install lifecycle.

CRITICAL .env file accessed during installation -25

The filesystem monitor recorded ACCESS to /home/oc-exec/.env, which typically contains sensitive environment variables such as API keys, database passwords, and service tokens.

HIGH Authentication profiles accessed during installation -10

The file /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json was accessed, potentially exposing authentication tokens or OAuth credentials for connected services.

MEDIUM Skill name mismatch between repo and lock.json -20

The repository is named 'homeassistant-assist' but the lock.json references 'academic-research-hub'. This mismatch suggests the repo may have been repurposed, is a placeholder, or is intentionally misleading about its purpose.

MEDIUM Empty skill with zero functionality -20

The SKILL.md is empty and there is no package.json or source code. This skill provides no functionality whatsoever, making it either incomplete, abandoned, or potentially a staging repository for future malicious content.

MEDIUM Potential sleeper/update-attack vector -15

An empty skill that is installed now could receive content updates later. If the platform auto-updates skills without re-auditing, this pattern allows an attacker to establish trust with a benign (empty) skill and later push malicious content.

LOW Runtime transpilation during install phase -10

Multiple .cjs files were created under /tmp/jiti/ during installation. While this appears to be the openclaw platform's jiti transpiler rather than skill-initiated code, it indicates code execution occurs during the install lifecycle.

INFO Platform lock file and DNS config accessed -5

A gateway lock file was created and DNS configuration was read, indicating the platform's networking stack initialized during installation.