Is jiasenl/clawdbot-skill-homebridge safe?

https://github.com/openclaw/skills/tree/main/skills/jiasenl/clawdbot-skill-homebridge

89
SAFE

The jiasenl/clawdbot-skill-homebridge skill is a well-structured, legitimate home automation skill that provides API access to a local Homebridge Config UI X instance. No prompt injection, hidden instructions, or data exfiltration mechanisms were found in the skill files; the sensitive credential file accesses observed in monitoring were traced to the oathe audit infrastructure itself (pre-install baseline capture and post-install integrity verification), and all canary files remain intact. The primary residual risks are inherent to the skill's purpose: physical actuator control over home devices and plaintext credential storage, both of which are standard for this ecosystem.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (6)

LOW Canary credential files read during audit session -10

Multiple sensitive credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened during the audit window. Temporal analysis places the first access cluster at 10:26:01 — approximately 5 seconds before the git clone began at 10:26:06 — indicating these accesses originated from the oathe monitoring infrastructure establishing baselines, not from the skill. A second cluster at timestamp 1771928784.328 aligns with the post-install canary verification sweep. All files were opened read-only (CLOSE_NOWRITE) and canary integrity confirmed intact.

LOW URL path injection surface in accessory_id parameter -8

The set_characteristic and get_accessory functions construct API URLs by directly interpolating the accessory_id argument into the path: f"{base_url}/api/accessories/{accessory_id}". If an attacker could influence the accessory_id value (e.g., via a compromised Homebridge server returning a manipulated uniqueId), path traversal or SSRF within the Homebridge host is theoretically possible. Risk is low because the base_url is user-controlled and Homebridge is a local service.

LOW Physical actuator control enables real-world harm -12

The skill exposes TargetHeatingCoolingState and TargetTemperature controls that can manipulate HVAC to extreme values (10-38°C range). If additional HomeKit accessories include smart locks, garage doors, or security systems, an agent operating under this skill could cause physical harm. This is inherent to the skill's purpose, not malicious design, but represents elevated risk compared to purely digital skills.

INFO Homebridge credentials stored in plaintext -5

The skill requires credentials (URL, username, password) in a plaintext JSON file at ~/.clawdbot/credentials/homebridge.json. While consistent with the clawdbot credential convention, plaintext storage means any other skill or process with filesystem access could read the Homebridge admin password.

INFO Python script included with network capabilities 0

homebridge_api.py is an executable Python script that makes outbound HTTP requests. During normal agent operation it would be invoked to contact the local Homebridge instance. The script is well-written and uses only stdlib; inclusion is expected and appropriate for this skill type.

INFO Clean sparse checkout from monorepo 0

The install process performed a shallow depth-1 clone of the openclaw/skills monorepo, applied a sparse checkout to the target subpath, copied files, and removed the temporary clone. This is a standard and clean installation pattern with no side effects.