Is clawhub/mcp-hass safe?

https://github.com/clawhub/mcp-hass

72
CAUTION

The skill repository at clawhub/mcp-hass could not be cloned (private or nonexistent), resulting in no deliverable skill code to audit. The only artifact is a lock.json referencing an unrelated skill name 'academic-research-hub'. Sensitive files (.env, AWS credentials) were read during the installation context, though this appears to be platform runtime behavior. The skill is fundamentally unauditable in its current state.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 60/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 35/100 · 5%

Findings (5)

HIGH Repository clone failed — skill is unauditable -30

The git clone of https://github.com/clawhub/mcp-hass failed with 'fatal: could not read Username for https://github.com: No such device or address'. The repository is either private, deleted, or requires authentication. No skill source code was delivered, making the skill completely unauditable.

MEDIUM Sensitive files accessed during installation context -25

The filesystem monitoring detected reads of /home/oc-exec/.env, /home/oc-exec/.aws/credentials, and /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json during the skill installation window. While these appear to be platform runtime reads (not skill-initiated), they occur in the skill audit context and represent sensitive credential exposure.

MEDIUM Skill name mismatch: lock.json references 'academic-research-hub' not 'mcp-hass' -15

The .clawhub/lock.json file lists an installed skill named 'academic-research-hub' at version 0.1.0, which does not correspond to the repository name 'mcp-hass'. This mismatch could indicate skill repackaging, a naming error, or a decoy manifest.

LOW Empty SKILL.md — no agent instructions delivered -10

The SKILL.md file is completely empty. While this means no prompt injection is present, it also means the skill provides no functionality and no documentation of its intended behavior.

INFO AWS credentials canary file was read but not modified -5

The honeypot .aws/credentials file was opened during the installation context (OPEN event at 07:51:37) but the canary integrity check confirms all files remained intact. This read is likely platform-level behavior.