Is home-assistant safe?

https://clawhub.ai/iAhmadZain/home-assistant

72
CAUTION

The home-assistant skill is a legitimate Home Assistant integration with no malicious code or prompt injection. However, it presents significant security concerns: it stores a powerful smart home access token in a plainly readable config file, passes unsanitized input through shell commands, and grants an AI agent full control over physical home devices including locks, garage doors, and security systems. The primary risk is not from the skill itself, but from the attack surface it creates — any prompt injection or skill compromise in the same agent could leverage this skill to control the user's physical home.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (8)

HIGH AI agent gains full smart home control -35

This skill grants an AI agent the ability to control all Home Assistant entities including door locks, garage doors, security systems, and thermostats. A prompt injection in any other skill or conversation context could cause the agent to perform dangerous physical actions like unlocking doors or disabling alarms.

HIGH Long-lived access token stored in readable config file -40

The skill instructs users to store a Home Assistant long-lived access token in ~/.config/home-assistant/config.json with no file permission guidance. This token grants full API access to the user's smart home. Any other skill or agent with filesystem read access could exfiltrate this token.

MEDIUM Token transmitted in every API request -15

The HA_TOKEN is sent as a Bearer token in the Authorization header on every curl request to the configured HA_URL. If HA_URL is misconfigured or DNS-hijacked, the token would be sent to an attacker-controlled server.

MEDIUM Unsanitized input in shell script -25

The ha.sh script interpolates user-supplied values directly into curl arguments and JSON payloads without sanitization. The brightness parameter, entity_id, and the 'call' command's JSON data are all passed through without validation, creating potential for shell injection if an agent passes crafted input.

MEDIUM Regex injection via search command -10

The 'search' subcommand passes user input directly to jq's test() function as a regex pattern. While jq sandboxes this, a crafted pattern could cause ReDoS (regex denial of service) or unexpected matching behavior.

LOW Skill requests broad tool permissions -10

The skill requires curl and jq binaries, which together enable arbitrary HTTP requests to any endpoint. While this is appropriate for HA integration, it means the skill's tools could be repurposed for unintended network activity if the agent is manipulated.

LOW Webhook inbound channel could be abused -5

The webhook integration creates an inbound communication channel from Home Assistant to the agent. A compromised or malicious HA automation could send crafted webhook payloads designed to manipulate agent behavior through the event data.

INFO Clean install behavior -5

No suspicious activity during clone or install. All filesystem events are attributable to the platform runtime (openclaw/jiti). No network connections, no process spawning, no canary file access.