gtapps/ha-safety-audit
plugins/claude-code-homeassistant-hermit/skills/ha-safety-audit/SKILL.md
Audit all live Home Assistant automations and scripts against the safety policy. Catches policy drift from entities added via the HA UI that bypassed this plugin's safety gate. Runs weekly as a scheduled check via reflect-scheduled-checks.
$ install --global
skillsauthnpx skillsauth add gtapps/claude-code-hermit ha-safety-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 13, 2026, 4:24 AM232.3s1 file scanned
SKILL.md
- name:
- ha-safety-audit
- description:
- Audit all live Home Assistant automations and scripts against the safety policy. Catches policy drift from entities added via the HA UI that bypassed this plugin's safety gate. Runs weekly as a scheduled check via reflect-scheduled-checks.
HA Safety Audit
Purpose
The plugin's safety gate only runs when automations are built through ha-build-automation. Automations and scripts added directly via the HA UI bypass it. This skill re-audits every live automation and script against the current safety policy and surfaces violations so the operator can review them.
Violations listed in .claude-code-hermit/compiled/acknowledged-violations.md (under automation_ids or script_ids) are suppressed from the actionable findings and reported separately as acknowledged.
Steps
- Run
${CLAUDE_PLUGIN_ROOT}/bin/ha-agent-lab ha audit-automations. - Run
${CLAUDE_PLUGIN_ROOT}/bin/ha-agent-lab ha audit-scripts. - Each command writes JSON + markdown artifacts under
.claude-code-hermit/raw/audit-ha-safety-*and.claude-code-hermit/raw/audit-ha-script-safety-*and prints a stdout findings block. - Concatenate the two stdout blocks with a blank separator line and pass the result through unchanged — reflect-scheduled-checks consumes it as the scheduled check output.
Output contract
Each CLI command prints a block in this shape:
ha-safety-audit findings — YYYY-MM-DD
Policy violations: N
- <alias> (`<id>`): <reasons>
No action needed: M automations passed
Acknowledged (suppressed): K
Scripts use ha-script-safety-audit findings — YYYY-MM-DD as the first line and scripts in place of automations.
If no violations: No actionable findings. (N automations scanned) or No actionable findings. (N scripts scanned).
Failure modes
- HA unreachable → CLI exits non-zero with an error message. Treat that as "skipped, cannot audit" in reflect-scheduled-checks context; do not retry automatically.
- No automations or scripts configured →
No actionable findings. (0 automations/scripts scanned)— not an error.
Related Skills
gtapps/session-start
data-ai
VerifiedTrustedCommunity
Initializes or resumes a work session. Loads context from OPERATOR.md and SHELL.md, orients the agent, and establishes what to work on. Use at the beginning of every work session.
62SKILL.mdUpdated Apr 27, 2026
gtapps/hermit-evolve
tools
VerifiedTrustedCommunity
Evolves hermit configuration and templates after a plugin update. Detects version gaps, presents new features, walks through new settings. Run after updating the plugin.
62SKILL.mdUpdated Apr 27, 2026
gtapps/hatch
testing
VerifiedTrustedCommunity
Initializes the autonomous agent in the current project. Creates the state directory, templates, OPERATOR.md, and config.json. Appends session discipline to CLAUDE.md. Detects installed hermits. Run once per project, like git init.
62SKILL.mdUpdated Apr 27, 2026
gtapps/docker-setup
tools
VerifiedTrustedCommunity
Generates Docker scaffolding and walks the operator through the full deployment — token setup, build, start, MCP plugin configuration, workspace trust, and verification. Offers to back up and overwrite existing Docker files. Run after /hatch.
62SKILL.mdUpdated Apr 27, 2026