← 返回 Skills 市场

Home Assistant Control

Name: Home Assistant Control
Author: hogar23

作者 Hogar23 · GitHub ↗ · v1.0.3

cross-platform ✓ 安全检测通过

903

总下载

当前安装

版本数

在 OpenClaw 中安装

/install home-assistant-control

功能描述

Control and inspect Home Assistant via REST API for entities, states, services, scenes, scripts, and automations. Use when the user asks to turn devices on/o...

使用说明 (SKILL.md)

Home Assistant Control

Use Home Assistant REST API with a long-lived access token.

Requirements

For skill users (runtime)

bash
curl
jq
Home Assistant long-lived token (HA_TOKEN)
Home Assistant public base URL (HA_URL_PUBLIC)

For skill maintainers (packaging/validation)

python3
pyyaml (required by skill-creator validator/packager scripts)

Required environment variables

HA_TOKEN (required)
HA_URL_PUBLIC (required; canonical target and fallback)
Optional URL behavior:
- if HA_URL_LOCAL is set (and no HA_URL override), local is tried first, then fallback to HA_URL_PUBLIC
- HA_URL is an explicit override (if set, used directly)

Secrets handling (publish-safe)

Keep keys/URLs in an external file, not in the skill folder.
Set HA_ENV_FILE=/absolute/path/to/file.env when you want file-based secret loading.
If HA_ENV_FILE is not set, scripts only use environment variables already present in the shell.
scripts/ha_call.sh and scripts/self_check.sh load env file only when HA_ENV_FILE is provided.

Core workflow

Parse the user request into target entity/service + desired action.
Check references/naming-context.md for manual alias mappings first.
Verify entity exists before changing state.
Execute service call.
Re-check state and report outcome clearly.

Useful endpoints

List states: GET /api/states
Single state: GET /api/states/{entity_id}
Call service: POST /api/services/{domain}/{service}

Headers:

Authorization: Bearer $HA_TOKEN
Content-Type: application/json

Scripts

scripts/ha_env.sh — loads env file only when HA_ENV_FILE is explicitly set, using safe KEY=VALUE parsing (no source/eval).
scripts/ha_call.sh — generic API caller for Home Assistant.
scripts/fill_entities_md.sh — generate references/entities.md from GET /api/states.
- Full map: ./scripts/fill_entities_md.sh
- Filter domains: ./scripts/fill_entities_md.sh --domains light,switch,climate,sensor
scripts/save_naming_context.sh — refresh references/naming-context.md for user-specific naming.
- ./scripts/save_naming_context.sh
scripts/ha_entity_find.sh — search entities by partial entity id or friendly name.
- ./scripts/ha_entity_find.sh kitchen
- ./scripts/ha_entity_find.sh temp --domains sensor,climate --limit 30
scripts/ha_safe_action.sh — execute service actions with safety checks and risk confirmation.
- ./scripts/ha_safe_action.sh light turn_on light.kitchen '{"brightness_pct":60}'
- ./scripts/ha_safe_action.sh lock unlock lock.front_door --dry-run
- Add --yes to bypass interactive confirmation for risky domains.
scripts/self_check.sh — verify prerequisites and API connectivity/auth before running actions.
- ./scripts/self_check.sh

Safety

Confirm before high-impact actions (locks, alarms, garage/doors, heating shutdown).
Do not print raw token values.
If target entity is ambiguous, ask a follow-up question.
Keep API paths scoped to Home Assistant endpoints only (/api/...).
Use only HTTP(S) Home Assistant base URLs (HA_URL*), prefer HTTPS for public access.
Avoid code execution when loading env files: parse key/value pairs, do not use source on untrusted paths.

Reference files

references/entities.md — entity inventory
references/naming-context.md — user alias memory for natural names (e.g. "living room light")

Publishing notes

Keep examples generic (example_* IDs), no personal hostnames/tokens.
Do not commit .env or any private env file with real tokens.
Keep the skill focused: API workflow + reusable scripts + entity reference.

安全使用建议

This skill appears to do exactly what it says: call Home Assistant's REST API and provide helper scripts. Before installing, ensure you trust the skill source and the GitHub repo, and keep in mind that HA_TOKEN is powerful — anyone with it can control devices. Store HA_TOKEN in a private file with strict permissions (the skill supports an HA_ENV_FILE), prefer HTTPS HA_URL_PUBLIC for remote access, and review the scripts yourself if you want to be extra cautious. Run scripts/self_check.sh first to validate connectivity and environment. If you need least-privilege access, consider creating a token with limited permissions in Home Assistant rather than using a full-administration token.

功能分析

Type: OpenClaw Skill Name: home-assistant-control Version: 1.0.3 The skill bundle is benign. It demonstrates robust security practices, particularly in `scripts/ha_env.sh` which safely parses environment files by allowlisting keys and avoiding `source`/`eval` for untrusted paths. `scripts/ha_call.sh` and `scripts/ha_safe_action.sh` implement strict input validation, URL scheme checks, API path scoping, and use `jq --arg` for safe JSON payload construction, mitigating shell and JSON injection risks. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts in the documentation (`SKILL.md`, `README.md`).

能力评估

✓ Purpose & Capability

Name/description match the requested binaries and environment variables: bash, curl, jq and HA_TOKEN/HA_URL_* are exactly what a Home Assistant REST wrapper needs. Scripts operate against /api/... endpoints and provide entity discovery, safe action execution, and reference generation — all coherent with the stated purpose.

✓ Instruction Scope

SKILL.md and the scripts confine their actions to Home Assistant API calls and local reference files. They validate paths begin with /api/, avoid arbitrary shell eval when loading env files, confirm entities before acting, and require explicit user confirmation for risky domains. No instructions ask the agent to read unrelated system files or send data to endpoints outside the configured HA base URL.

✓ Install Mechanism

There is no install spec (instruction-only packaging). The repo includes shell scripts only; no external downloads or package installs are performed by the skill itself, minimizing install-time risk.

✓ Credentials

Requested env vars (HA_TOKEN, HA_URL_PUBLIC, optional HA_URL_LOCAL/HA_URL/HA_ENV_FILE) are necessary and proportionate for talking to Home Assistant. The included ha_env.sh explicitly allowlists keys and parses env files without sourcing, limiting scope. The skill does require a long-lived token (which by design can control devices) — this is appropriate for the capability but carries the expected privilege.

✓ Persistence & Privilege

The skill is not always-enabled and does not request elevated platform privileges or modify other skills. It does not persist credentials into unrelated configs. Scripts write only to their own reference files (entities/naming-context) and temporary files during operation.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install home-assistant-control
安装完成后，直接呼叫该 Skill 的名称或使用 /home-assistant-control 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.3

Security fix: remove source() from env loading; use safe KEY=VALUE parser

v1.0.2

Align strict required env metadata with runtime checks

v1.0.1

Reduce scanner risk: explicit HA_ENV_FILE loading, tighten metadata/docs

v1.0.0

Initial clean release from canonical repo

v0.1.1

- Initial release of Home Assistant Control skill. - Added full documentation with usage notes, requirements, scripts, and safety practices. - Published 56 files including scripts, references, Git metadata, and configuration files. - Introduced `homepage` and `metadata` fields in skill description. - Updated publishing notes to emphasize not committing any private environment files.

元数据

Slug home-assistant-control

版本 1.0.3

许可证 —

累计安装 2

当前安装数 2

历史版本数 5

常见问题