Aqara Agent Skills
v0.1.1aqara-agent is an official AI Agent skill built on Aqara Home. It supports natural-language login/session setup, home-space management, device inquiry, devic...
⭐ 1· 69·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (Aqara smart-home agent) match the implementation: scripts call an Aqara Open API, handle login, home selection, device query/control and scenes. There are no unrelated required binaries or extraneous credentials declared.
Instruction Scope
Runtime instructions require the user to paste an aqara_api_key (saved to assets/user_account.json) and to run the included Python scripts (pip install -r scripts/requirements.txt). All runtime network calls are to the configured Aqara host (default agent.aqara.com). This is appropriate for the stated purpose, but users should note the skill explicitly asks users to paste credentials into chat and writes them to a local JSON file.
Install Mechanism
No install spec is provided (instruction-only with bundled scripts). Dependencies are ordinary Python packages listed in scripts/requirements.txt (fastmcp, pydantic, requests, qrcode[pil]) — reasonable for the functionality and traceable via PyPI.
Credentials
The skill declares no required environment variables or primary credential; instead it stores/reuses a local aqara_api_key in assets/user_account.json. The skill supports overriding the API host via AQARA_OPEN_HOST (documented). This local-file approach is coherent but worth noting because credentials are persisted on disk in the skill bundle rather than provided as ephemeral environment secrets.
Persistence & Privilege
The skill does write to its own asset file (assets/user_account.json) to persist the aqara_api_key and home selection — this is expected for a session-based smart-home skill. It does not request always:true, does not modify other skills, and has no unusual system-wide privileges.
Assessment
What to consider before installing: 1) This skill will ask you to paste your Aqara API credential (aqara_api_key) into the chat; that value will be saved to skills/aqara-agent/assets/user_account.json on disk — treat that file as sensitive. 2) The default API endpoint is agent.aqara.com, but the code honors AQARA_OPEN_HOST if set; do not change that env var to an untrusted host (a malicious host could collect credentials). 3) Review the included scripts (scripts/aqara_open_api.py and scripts/save_user_account.py) so you are comfortable with where credentials are written and how network calls are made; the network calls use the requests library and go to the configured base URL. 4) The package installs ordinary PyPI packages; if you will run it in a shared environment, consider running the skill in an isolated environment (virtualenv/container) and inspect assets/user_account.json after use. 5) Minor inconsistencies: a runtime error message in aqara_open_api.py mentions an AQARA_API_KEY environment variable even though the code reads the local JSON; this is informational and not hostile, but you may want to confirm how you prefer to provide credentials (file vs env). Overall the skill appears coherent with its stated purpose; proceed only if you trust the skill source and are comfortable with local storage of your Aqara API key.Like a lobster shell, security has layers — review code before you run it.
latestvk974e4c51hc3kmfknf9jfv9qad83nk7j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.