The Agent Skills Directory

[COMMAND_EXECUTION] (SAFE): Analysis of all Python scripts confirms that there are no calls to os.system, subprocess, or other shell-spawning functions. The skill remains entirely within the Home Assistant framework.
[EXTERNAL_DOWNLOADS] (SAFE): The manifest.json files for all three examples show empty requirements. No external code is downloaded or executed during setup or runtime. The logic uses standard libraries or mock APIs for demonstration.
[CREDENTIALS_UNSAFE] (SAFE): User credentials (username, password, host) are handled through the ConfigFlow system, which is the standard, secure way to manage secrets within Home Assistant. The hardcoded credentials found in the mock API files (test / 1234) are explicitly documented for testing the template functionality and do not pose a risk to production environments.
[DATA_EXFILTRATION] (SAFE): Network activity is restricted to the host provided by the user during configuration. The requests library is used in the intermediate example to fetch data from the user's local API, which is the primary intended purpose of the integration. No unauthorized exfiltration of sensitive files or system data was detected.

home-assistant-custom-integration