Is developmentcats/homeassistant-assist safe?

https://github.com/openclaw/skills/tree/main/skills/developmentcats/homeassistant-assist

91
SAFE

The homeassistant-assist skill is a clean, markdown-only wrapper around Home Assistant's Conversation API with no executable code, no credential harvesting, and no prompt injection attempts. The primary risk is not malice but design: the skill's 'fire and forget' pattern passes user input verbatim to HA with no validation, and the required HASS_TOKEN grants unrestricted smart-home access including physical security devices. Canary files remained intact throughout, and all suspicious file accesses were traced to the audit framework's own baseline and verification sweeps.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (5)

MEDIUM HASS_TOKEN grants unrestricted smart-home control -20

The skill requires a long-lived Home Assistant access token. This token has no scope restriction in HA's current auth model and grants the ability to control any device including physical security devices (locks, alarms, cameras, garage doors). A compromised agent session or prompt injection from an untrusted source (e.g., a website read by a companion browser skill) could issue commands that have real-world physical consequences.

LOW Unsanitized user input forwarded verbatim to external API -10

The skill's core pattern is to take whatever the user says and pass it as-is to the HA Conversation API. While this is the intended design, it means any text that reaches the agent (including injected content from documents or web pages) will be sent to HA as a command. There is no filtering, confirmation step, or intent classification before execution.

LOW Privileged token transmitted on every invocation -12

Every curl call includes the HASS_TOKEN as a Bearer token in the Authorization header. If HASS_SERVER is not HTTPS or the TLS certificate is not validated (curl does not pin certs by default), the token could be intercepted. The skill does not enforce TLS or warn about non-HTTPS server URLs.

INFO Post-install openclaw-gateway cloud connections 0

After install, the openclaw-gateway process established connections to 54.211.197.216 (AWS) and opened local listeners on ports 18790/18793. These are attributable to the openclaw platform itself (not this skill), but users should be aware the agent platform phones home to a cloud service.

INFO Canary files read twice by audit framework (not by skill) -5

All six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were read at two points: the audit baseline setup (~1771933805) and a post-install integrity sweep (~1771933827). Neither access window overlaps with the skill install window (1771933810–1771933823). Files were not modified.