Trust Assessment
homey-cli received a trust score of 95/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Sensitive credential exposed via environment variable.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Sensitive credential exposed via environment variable The skill's setup instructions direct users to store `HOMEY_CLIENT_SECRET` as an environment variable. In an AI agent environment, sensitive information stored in environment variables can be vulnerable to exfiltration if the agent's execution environment is compromised or if the agent itself can be prompted to reveal its environment variables. This could lead to unauthorized access to the Homey hub. Consider alternative secure storage mechanisms for `HOMEY_CLIENT_SECRET` that do not rely on environment variables, such as a dedicated secrets management service, a secure configuration file with restricted permissions, or prompting the user for the secret at runtime if feasible. If environment variables must be used, ensure the agent's execution environment is strictly sandboxed and that the LLM cannot access or reveal its own environment variables. | LLM | SKILL.md:35 |
Scan History
Embed Code
[](https://skillshield.io/report/64d5e7ea24334b7f)
Powered by SkillShield