Safety Report

Homeassistant Skill

Name: Homeassistant Skill
Rating: 5 (5 reviews)
Author: anotb

Control Home Assistant devices and automations via REST API. 25 entity domains including lights, climate, locks, presence, weather, calendars, notifications, scripts, and more. Use when the user asks about their smart home, devices, or automations.

2,875Downloads

8Installs

5Stars

5Versions

API Integration4,971 Workflow Automation3,323 CLI & Shell Tools1,805 Calendar & Scheduling1,462

Security Analysis

high confidence

Clean0.04 risk

The skill's requirements and instructions match its stated purpose (controlling Home Assistant via the REST API); requested binaries and environment variables are proportionate and expected.

Feb 12, 20262 files1 concern

Purpose & Capabilityok

Name/description align with requirements: curl and jq are appropriate, and HA_URL/HA_TOKEN are exactly what a REST-based Home Assistant skill needs.

Instruction Scopenote

SKILL.md only instructs calling Home Assistant REST endpoints (states, services, template, history, etc.) using HA_URL and HA_TOKEN. These calls are within the skill's purpose, but template/history/logbook endpoints can expose sensitive local data (presence, logs, calendar entries). The skill includes explicit safety rules for locks/alarms/garage doors.

Install Mechanismok

Instruction-only skill with no install spec or code files — nothing is downloaded or written to disk by the skill itself.

Credentialsok

Only HA_URL and HA_TOKEN are required and HA_TOKEN is declared as primaryEnv. The number and type of secrets requested are proportional to the stated capabilities.

Persistence & Privilegeok

always:false and normal model-invocation settings. The skill does not request permanent system presence or modify other skills/config; no elevated platform privileges are requested.

Guidance

This skill appears coherent and does what it says: it issues REST calls to your Home Assistant instance using HA_URL and a long-lived HA_TOKEN. Before installing, consider: 1) Treat HA_TOKEN as a full-access secret — only provide a token tied to a dedicated, limited account if possible (long-lived tokens are tied to a user). 2) Verify the GitHub project/homepage and review commits or issues if you don't trust the publisher. 3) Be aware calls to templates, history, and logbook can read sensitive local data (presence, calendars, logs); the skill's safety rules call out critical actions but you should confirm any lock/alarm/garage commands. 4) Ensure the agent that will use this skill has network access only to the intended HA_URL. If you need stricter controls, avoid supplying a full-access token or run the skill in an environment where you can audit requests.

Latest Release

v2.1.0

- Added a homepage link to the skill metadata. - Updated metadata fields to include OpenClaw environment and binary requirements. - Bumped version to 2.1.0.

More by @anotb

open-market-data

1 stars

Truenas Skill

0 stars

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Published by @anotb on ClawHub