Is djasha/home-assistant-master safe?

https://github.com/openclaw/skills/tree/main/skills/djasha/home-assistant-master

94
SAFE

The home-assistant-master skill is a pure-markdown, instruction-only set of operational playbooks for Home Assistant OS with zero executable code, no prompt injection vectors, and no data exfiltration mechanisms. It implements a well-designed tiered safety model (Tier 0–3) with read-only defaults, mandatory two-step confirmation for sensitive physical actuators, and explicit prohibitions on secret exposure. Canary file accesses observed in monitoring are attributable to the audit framework's own baseline sweeps, not to any skill-originated process.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (5)

LOW Physical security actuator scope (locks, alarms, cameras) -10

The skill is explicitly designed to issue Home Assistant service calls affecting physical security infrastructure including locks, alarms, garage doors, and cameras. While mandatory two-step confirmation and a deny-by-default policy significantly mitigate this risk, the breadth of control over physical systems warrants awareness. An agent running this skill with tool access to a Home Assistant instance holds elevated real-world power.

LOW Credential-adjacent design with dedicated token-handling reference -10

The skill includes a dedicated reference file (access-and-credentials.md) covering HA connector tokens, browser relay credentials, and secret storage. Although the policy is best-practice conservative (no pasting secrets, least-privilege, mask output, rotate on exposure), the skill assumes long-lived API tokens will exist in the agent's operational context, expanding the credential attack surface if the agent were compromised by another vector.

INFO Soft persona assignment in reference file -5

home-agent-profile.md proposes the agent adopt the name 'NORA Home' with a specific voice style. This is a UX customization suggestion that does not override safety policy, request elevated permissions, or conflict with the host agent's instructions. It is a common pattern in domain-specific skills.

INFO Lazy-loaded reference map (nine supplementary files) -3

SKILL.md declares nine reference files to be loaded on demand. All nine files were reviewed in full; contents are legitimate operational playbooks, safety policies, and HA documentation citations. No hidden instructions, no external fetch directives, no encoding tricks found in any reference file.

INFO Canary file reads attributable to audit framework baseline sweeps -5

inotify and auditd records show OPEN/ACCESS events on canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) at two timestamps: once pre-install (audit(1771922525)) during the before-baseline sweep, and once post-install (audit(1771922549)) during the after-verification sweep. The git clone and install complete between these two windows (audit(1771922531–1771922548)). The skill contains no executable code capable of triggering file system reads; all canary files passed integrity check intact.