hass-config-flow
Fail
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill extracts sensitive refresh tokens from the Home Assistant authentication storage file located at
/var/lib/hass/.storage/authto generate access tokens for API interaction. - [COMMAND_EXECUTION]: The skill utilizes
sudovia SSH to perform privileged operations on a remote host, including reading protected configuration files and executing administrative scripts. - [REMOTE_CODE_EXECUTION]: Automated scanners detected a pattern where output from a network request to the Home Assistant states API is piped directly into a Python interpreter (
curl ... | python3) for data processing. - [EXTERNAL_DOWNLOADS]: The documentation recommends the installation of third-party packages such as
dorita980from the NPM registry to facilitate iRobot Roomba integrations. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface when processing external data.
- Ingestion points: Fetches entity names and states from the Home Assistant API endpoint (
/api/states) inSKILL.mdandscripts/ha-entities.sh. - Boundary markers: No delimiters or defensive instructions are present to prevent the agent from being influenced by malicious entity data.
- Capability inventory: The skill can execute shell commands on a remote server and perform network operations via
curl. - Sanitization: There is no evidence of validation or sanitization of entity data retrieved from the Home Assistant instance before it is processed by the agent.
Recommendations
- HIGH: Downloads and executes remote code from: http://localhost:8123/api/states - DO NOT USE without thorough review
Audit Metadata