ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

小米/米家智能家居控制

v1.1.0

小米/米家智能家居设备控制。通过 MCP Server 工具控制家中的小米设备,包括灯、空气净化器、电暖气、空调、风扇、扫地机器人、窗帘等。当用户提到任何关于智能家居控制的指令时触发,如"把灯关掉"、"开空调"、"净化器调到睡眠模式"、"客厅太暗了"、"家里空气不好"等。即使用户没有明确说"小米"或"米家",只要...

0· 413·2 current·2 all-time
byLino Silvan@alleneee
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (Mijia/Xiaomi home device control) match the runtime instructions: all operations map to the listed MCP Server tools (auth, list/find devices, get/set properties, camera snapshot). No unrelated binaries, env vars, or config paths are requested.
Instruction Scope
Instructions stay within device control, discovery, and camera snapshot/analysis. However, the skill explicitly instructs the agent to ask users for Xiaomi account username/password and verification codes (sensitive), and to 'use Read tool' to read returned image paths — the SKILL.md does not define the Read tool or how images are handled/stored. Confirm how credentials and images are transmitted/stored.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is downloaded or written to disk by an installer. This minimizes install-time risk.
Credentials
No environment variables or primary credentials are declared, yet the runtime flow expects the user to provide Xiaomi account credentials interactively. While asking for credentials is coherent for a direct-login flow, it is sensitive and the skill does not specify secure storage or tokenization. Camera image handling is also sensitive but not detailed.
Persistence & Privilege
always is false and the skill does not request persistent or system-wide privileges. It does not modify other skills or system config according to the provided files.
Assessment
This skill appears to do what it says (control Xiaomi/Mijia devices) but it asks the agent to collect your Xiaomi username/password and verification codes at runtime and to read camera snapshots for analysis. Before installing or using it: 1) Confirm how the platform and MCP Server will store and protect your credentials (prefer token-based/OAuth flows or dedicated, limited-access accounts rather than your main account password). 2) Avoid pasting passwords into plain chat unless you trust the agent's secure input and storage mechanisms. 3) Ask the skill author or operator how camera images are handled, whether images leave your network, and how long they're retained. 4) Consider creating a dedicated Xiaomi account with limited devices for third-party integrations. If you cannot verify secure credential handling and image privacy, treat this skill as privacy-sensitive and proceed cautiously.

Like a lobster shell, security has layers — review code before you run it.

cameravk973954b0108txy6b8g5gb0k9983mapkiotvk973954b0108txy6b8g5gb0k9983mapklatestvk973954b0108txy6b8g5gb0k9983mapkmijiavk973954b0108txy6b8g5gb0k9983mapkmiotvk973954b0108txy6b8g5gb0k9983mapksmart-homevk973954b0108txy6b8g5gb0k9983mapkxiaomivk973954b0108txy6b8g5gb0k9983mapk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments