Advanced Home Assistant control using the official hass-cli tool. Features auto-completion, event monitoring, history queries, and rich output formatting. Alternative to the curl-based homeassistant skill - choose this if you want a more interactive CLI experience with better discovery and formatting.
Security Analysis
high confidenceThe skill mostly matches its stated purpose (wrapping the official hass-cli), but the package metadata omits the obvious secret/environment requirement (HASS_TOKEN/HASS_SERVER) and the runtime instructions contain actions that can leak or weaken credentials, so the requests and documentation are not fully consistent or proportionate.
The skill's name, description, and commands align with a Home Assistant CLI wrapper and legitimately need the hass-cli binary and access to a Home Assistant server. The install options (pip/homebrew) are appropriate for a Python CLI tool.
SKILL.md instructs the agent/user to set HASS_SERVER and HASS_TOKEN, test connections, and even echo $HASS_TOKEN in troubleshooting — but the skill metadata did not declare any required environment variables. The instructions otherwise stay within Home Assistant control scope and do not ask to read system files outside of typical shell configs.
Install spec uses pip and Homebrew formulas for homeassistant-cli, which is expected for this upstream project and is a low-to-moderate risk install path. No download-from-URL or arbitrary extraction is used.
Runtime usage clearly requires a long-lived Home Assistant token (HASS_TOKEN) and server URL (HASS_SERVER). Those sensitive environment variables are not listed in requires.env or primary credential fields in the metadata — an omission that reduces transparency and could cause unintentional credential exposure. The troubleshooting guidance suggests echoing the token and using --insecure for certs, both of which can weaken secrecy or security if followed without caution.
The skill does not request permanent/always-on inclusion (always:false), does not modify other skills, and does not claim access to unrelated config paths or credentials. Autonomy is enabled by default (disable-model-invocation:false) which is standard and not by itself a red flag.
Guidance
This skill appears to be a straightforward wrapper around the official hass-cli tool, but the metadata is missing the fact that you must provide HASS_SERVER and a long-lived HASS_TOKEN. Before installing: (1) verify the pip/homebrew package comes from the official project (check maintainers and repo), (2) be prepared to supply a Home Assistant long-lived access token — treat it like a password and avoid echoing it into terminals or logs, (3) avoid using --insecure in production (it disables SSL verification), (4) prefer storing the token in a secure secret store instead of exporting it in a shared shell config, and (5) consider whether you want an agent with autonomous invocation to run hass-cli commands against your home network. The metadata omission lowers transparency; ask the publisher to add required env vars (HASS_SERVER, HASS_TOKEN) to the skill manifest before trusting it.
Latest Release
v1.0.0
- Initial release of the homeassistant-cli skill. - Provides advanced Home Assistant control using the official hass-cli tool. - Features include auto-completion, real-time event monitoring, history queries, and rich output formatting (table/YAML/JSON). - Offers enhanced interactivity and discoverability compared to curl-based alternatives. - Includes setup instructions, common commands, and usage tips for a richer CLI experience.
More by @JonesChi
Published by @JonesChi on ClawHub
