hass-mcp: why it is not safe to use
hass-mcp passed our injection, exfiltration and secrets checks, but it can control real devices and restart your Home Assistant hub, so we flagged it.
What we found
We scored hass-mcp 80/100 and marked it **warn**, not blocked. It passed the checks that matter most for a hostile skill: no prompt-injection payloads, no data exfiltration, no hardcoded secrets, no obfuscated code, and no unexpected outbound calls. It talks only to the Home Assistant URL you configure, and it respects TLS.
The warnings come from what the skill is designed to do. Its `call_service_tool` can invoke any Home Assistant service, and `entity_action` and `restart_ha` let it toggle switches, operate locks, and restart your hub. It authenticates with a long-lived token that grants full control of the instance. If you run its optional HTTP mode, the `/mcp` endpoint hands that same control to anyone who can reach the port, a risk the project README flags itself.
What to do instead
Run hass-mcp only if you want an assistant that actively controls your smart home, and treat it accordingly. Keep it in the default stdio mode rather than HTTP mode. If you need HTTP, bind it to localhost and put it behind authentication. Consider a scoped Home Assistant user with limited service access instead of a full-control token, and review which entities it can reach.
Source: https://github.com/voska/hass-mcp
We report what our security review found at the time we checked, with the goal of keeping people safe. Projects change; if a maintainer has since fixed this, we are glad to recheck it. Email hello@agentpod.com.