Is maxsumrall/homey safe?

https://github.com/openclaw/skills/tree/main/skills/maxsumrall/homey

89
SAFE

This is a legitimate smart home control skill for Athom Homey devices with clean code and no malicious behavior detected. The skill requires API credentials and controls IoT devices, which are normal for its intended functionality but carry standard security considerations.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (3)

LOW API Credential Storage -15

The skill requires storing Homey API keys and cloud tokens in local configuration files (~/.homey/config.json). While legitimate for the skill's functionality, this involves handling sensitive authentication data.

LOW Executable Node.js Package -20

The skill installs executable JavaScript code including CLI binaries. The code appears legitimate but represents standard executable package risks.

INFO IoT Device Control -15

The skill controls physical smart home devices which carries inherent security implications if misused or if the user's Homey system is compromised.