We checked this and rejected itsecurity

hass-mcp: why it is not safe to use

hass-mcp passed our injection, exfiltration and secrets checks, but it can control real devices and restart your Home Assistant hub, so we flagged it.

What we found

We scored hass-mcp 80/100 and marked it **warn**, not blocked. It passed the checks that matter most for a hostile skill: no prompt-injection payloads, no data exfiltration, no hardcoded secrets, no obfuscated code, and no unexpected outbound calls. It talks only to the Home Assistant URL you configure, and it respects TLS.

The warnings come from what the skill is designed to do. Its `call_service_tool` can invoke any Home Assistant service, and `entity_action` and `restart_ha` let it toggle switches, operate locks, and restart your hub. It authenticates with a long-lived token that grants full control of the instance. If you run its optional HTTP mode, the `/mcp` endpoint hands that same control to anyone who can reach the port, a risk the project README flags itself.

What to do instead

Run hass-mcp only if you want an assistant that actively controls your smart home, and treat it accordingly. Keep it in the default stdio mode rather than HTTP mode. If you need HTTP, bind it to localhost and put it behind authentication. Consider a scoped Home Assistant user with limited service access instead of a full-control token, and review which entities it can reach.

Want the same outcome, safely? Use our checked skill instead.

Source: https://github.com/voska/hass-mcp

We report what our security review found at the time we checked, with the goal of keeping people safe. Projects change; if a maintainer has since fixed this, we are glad to recheck it. Email hello@agentpod.com.

Copied to clipboard. Go back to ChatGPT or Claude and paste it to teach the skill.