home-assistant
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill documentation instructs users to store a 'Long-Lived Access Token' in a plain-text configuration file (
~/.config/home-assistant/config.json) or in environment variables. While necessary for authentication with Home Assistant, this practice exposes sensitive credentials to any process or user with access to the agent's environment or file system.\n- [COMMAND_EXECUTION]: The skill usescurland a custom shell script (scripts/ha.sh) to execute commands and interact with the Home Assistant API. These capabilities allow the agent to perform network requests and control physical devices, which could be abused if the agent is compromised.\n- [PROMPT_INJECTION]: The 'Inbound Webhooks' feature introduces a risk of Indirect Prompt Injection. Data sent from Home Assistant automations to the agent's webhook endpoint (such as device names, areas, or event details) is ingested as natural language and could contain malicious instructions designed to manipulate the agent's behavior.\n - Ingestion points: The webhook endpoint receives POST payloads from Home Assistant automations (documented in the 'Inbound Webhooks' section).\n
- Boundary markers: No specific delimiters or safety instructions are provided to distinguish between data and potential commands within the webhook payload.\n
- Capability inventory: The skill possesses the ability to read local configuration files, perform network operations via
curl, and execute commands through theha.shwrapper.\n - Sanitization: There is no evidence of sanitization, validation, or filtering of the incoming data from the webhook before it is processed by the agent.
Audit Metadata