Midea Air Conditioners
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill Suspicious High-Entropy/Eval files: 1 The skill is classified as suspicious due to prompt injection instructions found in `SKILL.md`. Specifically, the 'Natural Language Understanding' section instructs the AI agent to perform multi-step reasoning and conditional logic (e.g., 'Check status first, then increase temperature by 2 - 10 degrees', or conditional fan speed based on AC mode). While these instructions are for a legitimate purpose (AC control), they demonstrate a risky capability where the agent is directed to execute complex, multi-stage operations based on markdown instructions. The `scripts/midea_ac.py` file performs network communication, but it is confined to local IP addresses (192.168.1.x) for controlling Midea ACs, which is aligned with the skill's stated purpose and does not show signs of malicious exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When invoked, the skill can turn ACs on or off and change temperature, fan, or mode settings on local devices.
The script directly applies state changes to an air conditioner. This matches the skill purpose, but it is still a real-world device action users should be aware of.
ac.power_state = False
await ac.apply()Confirm the room names and IP addresses before use, and consider requiring user confirmation for power changes or extreme temperature/fan-speed settings.
The skill may require a separately installed dependency, and users should know which package they are trusting before running it.
The skill relies on an external Python library, while the provided install metadata does not include an install specification or pinned dependency details.
Powered by @mill1000's [msmart-ng](https://pypi.org/project/msmart-ng) library.
Install dependencies from the expected official package source, review the package name/version if possible, and avoid running modified dependency-install commands from untrusted sources.