Is iamvaleriofantozzi/moltbot-ha safe?

https://github.com/openclaw/skills/tree/main/skills/iamvaleriofantozzi/moltbot-ha

86
SAFE

The moltbot-ha skill definition is clean: SKILL.md contains no prompt injection patterns, no exfiltration instructions, no hidden content, and no executable code. Clone behavior was limited to a single expected GitHub HTTPS connection with no persistent post-install network activity, and all canary honeypot files remained intact. The primary residual risks are the unaudited third-party PyPI binary (moltbot-ha) that the skill instructs users to install, and the real-world physical impact potential of controlling locks, alarms, and garage doors — both of which warrant caution despite the skill files themselves being well-designed and safety-conscious.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (6)

MEDIUM Unaudited third-party PyPI dependency -15

The skill installs moltbot-ha from PyPI via 'uv tool install moltbot-ha'. The Python source of this package was not executed or present in this audit. Any malicious behavior (credential harvesting, network beaconing, filesystem traversal) would originate from that binary, not from the skill definition files. The package is authored by the same person who submitted the skill (iamvaleriofantozzi), which reduces but does not eliminate supply-chain risk.

MEDIUM Physical-world control with real-world consequences -12

The skill enables control of physical security devices — door locks, alarm panels, and garage doors — via Home Assistant. Misuse, prompt injection via HA entity state responses, or an overly-broad confirmation match could trigger irreversible physical actions. The safety system mitigates this but does not eliminate the risk.

LOW HA_TOKEN remains in agent environment scope -10

The skill requires HA_TOKEN as an environment variable. Once loaded, this long-lived Home Assistant access token is present in the agent's environment for the duration of the session. A co-loaded malicious skill, or prompt injection via crafted HA entity names or state values returned by moltbot-ha commands, could reference or exfiltrate this token.

LOW Broad affirmative confirmation definition -12

SKILL.md instructs the agent: 'BE SMART about what constitutes confirmation: "Yes", "OK", "Sure", "Do it", "Confirmed", or any affirmative response in the context of the request is sufficient.' While the intent is to avoid rigid keyword matching, this broad definition could cause the agent to treat an ambient affirmative (said in response to a different question) as authorization for a critical action if session context is ambiguous.

INFO Clone limited to expected GitHub HTTPS connection 0

The only external network connection during install was to 140.82.121.3:443 (GitHub), which is the expected destination for cloning the openclaw/skills monorepo. No DNS queries to unexpected domains, no secondary downloads, and no post-install persistent connections were observed.

INFO All honeypot files intact 0

Canary reads observed at timestamps 1771940772.542 and 1771940792.990 are attributable to the OATHE audit framework's pre-install baseline setup and post-install integrity check respectively (both via sudo/audit PIDs active before the git clone started). No skill-related process accessed canary files.