Is kordup/claw-hass safe?

https://github.com/openclaw/skills/tree/main/skills/kordup/claw-hass

87
SAFE

claw-hass is a functionally legitimate OpenClaw plugin for Home Assistant integration with a clean, minimal SKILL.md and no prompt injection, hidden directives, or active data exfiltration in its code. The primary risk is inherent to its design: the skill provides broad read access to all HA sensor states and unrestricted execution of any HA action against any entity, including physical actuators like locks and alarms. Pre-compiled build artifacts (no source) slightly limit auditability, and transitive AWS SDK dependencies from the underlying agent platform are present but not attributable to malicious intent.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 87/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 71/100 · 5%

Findings (6)

MEDIUM Broad Home Assistant sensor and action access -22

The skill exposes ha:get_sensors (returns all sensor states, attributes, area, device metadata) and ha:run_action (executes arbitrary HA scripts/automations against any entity). While this is the intended design of a HA control skill, it represents a high-capability surface: an attacker who achieves prompt injection through another vector could use this skill to read security sensor states or trigger physical actuators.

MEDIUM Pre-compiled build artifacts only — no source code -13

The skill ships only compiled JavaScript in build/ with no TypeScript source files present. Static analysis of compiled output is more difficult. The core logic in HAClient.js is readable but obfuscation via compilation cannot be fully ruled out for future versions.

LOW Default Home Assistant URL uses unencrypted HTTP -5

config.js defaults the HA URL to http://127.0.0.1:8123. If users configure an external HA instance over HTTP, the long-lived access token and all sensor/action traffic would be transmitted in plaintext, exposing credentials to local network interception.

LOW Transitive AWS SDK dependency via agent platform -8

The package-lock.json includes @aws-sdk/client-bedrock-runtime, @aws-sdk/credential-provider-node, and related AWS credential chain packages as transitive dependencies of @mariozechner/pi-agent-core. These could theoretically read AWS credential files from the environment. This appears to originate from the underlying agent platform, not the skill itself, but warrants awareness.

LOW Canary files read during audit (not modified) -12

Multiple honeypot credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud credentials) were opened and read during the audit session. The canary integrity report confirms no file was modified. Timing analysis places these reads at audit-framework initialization (sudo setup at 05:10:29) and post-install verification (05:10:57), not during skill code execution. No correlated network exfiltration detected.

INFO Physical device control capability -15

The ha:run_action tool can trigger Home Assistant scripts and automations that control physical devices. In a well-configured HA instance this includes door locks, garage doors, alarm systems, HVAC, and cameras. While legitimate for home automation use, this represents a significant real-world impact surface if the agent is manipulated.