Mijia
v0.1.0Control Xiaomi Mijia smart home devices. Use this skill when the user wants to control desk lamps, smart plugs, or other Mijia devices. Supports turning lights on/off, adjusting brightness, setting color temperature, switching modes, and more.
⭐ 2· 2.5k·9 current·9 all-time
byKai Wang@hqman
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with included code: the CLI (scripts/lamp_cli.py) and README implement lamp control via a mijiaAPI library. The declared project dependency (mijiaapi) is appropriate for the stated function.
Instruction Scope
SKILL.md instructs the agent to install dependencies (uv sync), set MIJIA_LAMP_DID, login via Xiaomi QR code, and run scripts/lamp_cli.py. Those steps are within scope for a device-control skill, but the skill documentation uses multiple inconsistent install/run paths (e.g., ~/.clawdbot/skills/mijia, ~/.claude/skills/mijia, and /path/to/mijia-skill) and the runtime instructions rely on the external mijiaAPI library (which will perform network login and store tokens) without describing where credentials/tokens are persisted.
Install Mechanism
No install spec is declared in the registry (instruction-only), but a pyproject.toml lists mijiaapi as a dependency and README/SKILL.md require running 'uv sync' / 'uv run'. The skill will therefore pull a third-party package from PyPI (or equivalent) when installed — the package source and behavior are not included in the skill, so you must audit that dependency separately. No arbitrary HTTP downloads or embedded obfuscated installers were found in the skill itself.
Credentials
The registry metadata lists no required env vars or primary credential, but SKILL.md and the CLI require MIJIA_LAMP_DID and the user to login to a Xiaomi account. The skill does not declare this required environment variable in its metadata, and it does not explain where login tokens will be stored. Asking for a Xiaomi account login and device ID is expected for this functionality, but the mismatch between declared requirements and actual instructions is a gap that could hide assumptions about stored credentials or token persistence.
Persistence & Privilege
The skill does not request always:true, does not declare system-wide config paths, and does not attempt to modify other skills. It requires the agent to run the CLI manually (or be invoked), and the included code performs only device operations via the external library.
What to consider before installing
Before installing or running this skill, consider the following:
- The skill will require you to set MIJIA_LAMP_DID and to login to your Xiaomi account (QR code). Confirm where the mijiaAPI library stores login tokens/credentials on disk (cookies, config files) and whether you are comfortable with that storage location.
- The registry metadata does NOT list MIJIA_LAMP_DID as a required env var, and SKILL.md/README use inconsistent directory paths (~/.clawdbot vs ~/.claude vs /path/to). Ask the author to fix metadata and docs so requirements are explicit.
- The skill depends on the third-party package 'mijiaapi' (pyproject.toml). Inspect that package's source or its PyPI/GitHub repo for any network endpoints, telemetry, or unexpected behaviors before running 'uv sync'.
- Run the skill in an isolated environment (virtualenv or disposable VM) the first time to observe what files/tokens it creates and what network calls it makes.
- If you only want the AI to issue commands and not perform autonomous installs/logins, avoid allowing autonomous invocation until metadata and behavior are clarified.
If the author can (1) list MIJIA_LAMP_DID in the skill metadata, (2) fix the path inconsistencies, and (3) document where login tokens are stored (and confirm no unrelated credentials are accessed), this would reduce the outstanding concerns.Like a lobster shell, security has layers — review code before you run it.
latestvk975nxmnfb6m881350z98regws80a0ad
License
MIT-0
Free to use, modify, and redistribute. No attribution required.