ClawHub

Mijia

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Mijia lamp-control skill, but it does require Xiaomi account login and lets the agent change the selected smart device's state.

Install this only if you want the agent to control the selected Mijia device. Verify the device ID, be comfortable with the Xiaomi QR login, and avoid assigning safety-critical devices such as smart plugs controlling appliances unless you add an explicit confirmation workflow.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

If invoked, the agent can turn the configured lamp or compatible device on/off and change its settings.

Why it was flagged

These command handlers directly change a Mijia device's state. That is the stated purpose of the skill, but it is still real-world device mutation.

Skill content
lamp.on = True ... lamp.on = False ... lamp.brightness = args.value ... lamp.set('mode', mode_val)
Recommendation

Only configure MIJIA_LAMP_DID for the device you want the agent to control, and consider requiring confirmation before controlling smart plugs or any safety-sensitive device.

#
ASI03: Identity and Privilege Abuse
Medium
What this means

Installing and using the skill involves granting the agent access to a Xiaomi smart-home account session for device control.

Why it was flagged

The skill authenticates to a Xiaomi/Mijia account to control devices. This is expected for the integration, and the provided code does not show hardcoded credentials or credential exfiltration.

Skill content
api = mijiaAPI()
    api.login()
Recommendation

Review the Xiaomi login prompt, use the least-privileged account available, and ensure the configured device ID points only to the intended device.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Running uv sync may install a newer mijiaapi release than the author tested.

Why it was flagged

The setup relies on an external package with a lower-bound version range rather than an exact pinned version. This dependency is central to the skill's purpose, but users should be aware of the supply-chain dependency.

Skill content
dependencies = [
    "mijiaapi>=3.0.5",
]
Recommendation

Install from a trusted environment and consider pinning or reviewing the mijiaapi package version before use.