The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface because it retrieves and processes data from a Home Assistant instance, such as entity states and attributes. If an attacker can manipulate this data (e.g., by compromising a smart device or modifying a friendly name), they could potentially influence the agent's behavior.
Ingestion points: Untrusted data enters the agent context via 11 read-oriented tools in src/tools.ts, including ha_get_state, ha_list_entities, ha_history, and ha_sensor_list.
Boundary markers: The skill does not implement specific boundary markers or instructions to differentiate Home Assistant data from the agent's system prompt, leaving the agent susceptible to instructions embedded in the data.
Capability inventory: The skill provides a significant set of capabilities with 23 write tools, including powerful generic operations like ha_call_service, ha_fire_event, and ha_render_template (src/guards.ts).
Sanitization: While the skill enforces strict regex-based validation for entity IDs, it does not sanitize or escape the content of entity attributes or states (e.g., friendly names) before returning them to the agent.
[SAFE]: The skill implements a robust safety model including a global readOnly toggle that blocks all 23 write-capable tools and an allowedDomains allowlist that restricts the agent to specific device categories (src/guards.ts).
[SAFE]: The implementation has zero runtime dependencies, significantly reducing the risk of supply chain attacks.

openclaw-homeassistant