ClawHub

小米智能家居 (Xiao Mi Home for HA)

v1.0.0

Control Xiaomi/Mi Home devices via Home Assistant REST API for lights, switches, sensors, AC, fans, media players, and scenes using natural language.

0· 211·0 current·0 all-time
byDillonHuang@huangqiulong
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (control Xiaomi devices through Home Assistant REST API) align with the declared requirements in SKILL.md (curl, jq, HA_URL, HA_TOKEN). The bundled scripts (test.sh, test-mock.sh, mock-ha-server.py) are test/mock utilities useful for offline and live testing and are consistent with the skill's purpose. Note: registry metadata at the top of the submission shows no required env vars/binaries whereas SKILL.md does declare them — this is an inconsistency in the published metadata but not a functional mismatch.
Instruction Scope
SKILL.md only instructs using the Home Assistant REST API (GET /api/states, POST /api/services/...) via curl/jq. It also instructs storing HA_URL/HA_TOKEN in OpenClaw config (openclaw config set) or editing ~/.openclaw/openclaw.json; these actions are within scope for a skill that needs persistent credentials. Caution: the doc suggests pasting long-lived tokens in chat for the AI to run openclaw config set — that is a user-privacy risk (not a technical incoherence).
Install Mechanism
No install spec (instruction-only runtime) — lowest install risk. The repository includes test scripts and a simple local mock server (Python stdlib) that are harmless local test tooling. No downloads from external/unknown URLs or extracted archives are present.
Credentials
The only runtime secrets the skill needs are HA_URL and a long-lived HA_TOKEN, which are proportional to controlling a Home Assistant instance. There are no unrelated credentials requested. Note the registry metadata did not list these env vars but SKILL.md does — you should confirm the platform will prompt for/provide these before enabling the skill.
Persistence & Privilege
always:false (normal). The skill's workflow expects to write its own config entries (openclaw config set or editing ~/.openclaw/openclaw.json) so it can persist the HA_TOKEN; this is expected for a skill that must contact your HA instance. It does not request system-wide privileges or modify other skills.
Assessment
Functionally this skill looks coherent for controlling Home Assistant. Before installing: 1) Confirm the registry metadata discrepancy (the published metadata did not list HA_URL/HA_TOKEN while SKILL.md does). 2) Only provide a long‑lived HA token you trust the agent with; avoid pasting it into public or shared chats. 3) Consider creating a Home Assistant token with limited privileges if possible and test the skill using the provided mock server (test-mock.sh) before pointing it at your real HA instance. 4) Review the openclaw config write step — the skill will persist the token in ~/.openclaw/openclaw.json via openclaw config set, so ensure your OpenClaw config storage is secure.

Like a lobster shell, security has layers — review code before you run it.

latestvk978mvtq1qtkbtrpcc7py1szx982sz89

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments