Is clawhub/homeassistant-skill safe?

https://github.com/clawhub/homeassistant-skill

22
DANGEROUS

This skill is effectively non-functional: the repository clone failed, SKILL.md is empty, and the only artifact is a lock.json referencing a completely different skill name ('academic-research-hub' vs 'homeassistant-skill'). The install process still triggered access to sensitive files (.env, .aws/credentials, auth-profiles.json) as part of the platform's own bootstrap. The name mismatch and empty state suggest this could be a skeleton repository positioned for future weaponization.

Category Scores

Prompt Injection 50/100 · 30%
Data Exfiltration 5/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 15/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 10/100 · 5%

Findings (6)

CRITICAL Repository clone failed — skill does not exist or is inaccessible -85

The git clone operation failed with 'fatal: could not read Username for https://github.com'. The repository at clawhub/homeassistant-skill either does not exist, is private, or the URL is malformed. No skill code was actually retrieved.

CRITICAL Sensitive credential files accessed during install -95

The install process (platform-side, not skill-side) accessed .env, .aws/credentials, and auth-profiles.json. While this appears to be platform bootstrap behavior rather than skill-initiated exfiltration, it means installing a broken/nonexistent skill still exposes credentials to the execution environment.

HIGH Lock.json references different skill than repository name -90

The only file in the skill directory (.clawhub/lock.json) references 'academic-research-hub' version 0.1.0, but the repository is named 'homeassistant-skill'. This name mismatch is suspicious and suggests the repository was repurposed, is a placeholder, or was deliberately set up to masquerade as a different skill.

HIGH Empty SKILL.md — no declared purpose or behavioral contract -50

SKILL.md is completely empty. Legitimate skills always document their purpose and provide prompt instructions. An empty SKILL.md means the skill has no declared functionality, making it impossible to assess intended behavior. This could be a placeholder for future prompt injection content.

MEDIUM Repeated access to platform configuration and shell profiles -15

The install process repeatedly read .openclaw/openclaw.json, .profile, and .bashrc — at least 4-5 times each. While likely platform behavior, these files may contain exported API keys or secrets.

LOW Jiti temp files created during install -20

Numerous .cjs files were compiled by jiti and written to /tmp/jiti/ during install. These appear to be platform module compilation artifacts, not skill-authored code. However, the volume (15+ files) is notable.