Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Xiaomi Miot
v1.4.0小米米家智能家居控制技能。通过小爱音箱、米家设备控制灯光、空调、扫地机器人等小米IoT设备。当用户说"开灯"、"关空调"、"让扫地机器人扫地"等智能家居控制指令时使用。
⭐ 2· 107·0 current·0 all-time
bywoodylan@lanlan314
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (Xiaomi Miot device control) match the code and instructions: the skill implements login, token caching, and device list retrieval via Xiaomi APIs and uses Feishu to present interactive login cards. Requesting FEISHU_APP_ID/FEISHU_APP_SECRET (to send cards) and Xiaomi OAuth client id/secret is consistent with the described flow. However, one code file (login_card.py) hard-codes a Xiaomi client_secret value rather than using the declared environment variable, which contradicts the SKILL.md statement that secrets are passed via env vars.
Instruction Scope
SKILL.md describes a login flow, token caching path (~/.openclaw/skills/xiaomi-miot/data/token_cache.json), and the need to provide FEISHU and Xiaomi credentials. The runtime instructions and the code operate within that stated scope: they request credentials, prompt for captcha when needed, call Xiaomi APIs, and use Feishu APIs to show/update cards. The skill stores tokens locally in the declared cache path. There is no instruction or code that accesses unrelated system paths or sends data to third-party endpoints other than Xiaomi and Feishu.
Install Mechanism
No install spec (instruction-only) and a small requirements.txt with 'requests' only. This is a low-risk install pattern and consistent with an instruction-only Python skill.
Credentials
Requested environment variables (XIAOMI_CLIENT_ID/SECRET and FEISHU_APP_ID/SECRET) are appropriate for the listed capabilities. However, login_card.py contains a hard-coded Xiaomi client_secret string used in OAuth token calls, contradicting the SKILL.md claim '敏感信息通过环境变量传递,不硬编码在代码中'. This discrepancy is a meaningful inconsistency: either the code will ignore the provided CLIENT_SECRET env var (leading to unexpected behavior), or the author accidentally embedded a secret. Hard-coded client secrets are a risk because they may leak or be reused incorrectly.
Persistence & Privilege
The skill does persist the OAuth token to ~/.openclaw/skills/xiaomi-miot/data/token_cache.json as described in SKILL.md; this is expected for an integration that needs reusable tokens. The skill is not marked always:true and does not request system-wide privileges or alter other skills' configs.
What to consider before installing
This skill appears to implement the described Xiaomi login and device-control flow and uses Feishu to present login cards — that part is coherent. However, the code contains a hard-coded Xiaomi client_secret in login_card.py that contradicts the SKILL.md guidance to pass secrets via environment variables. Before installing or using this skill:
- Do not reuse production secrets. Create and use dedicated test FEISHU and Xiaomi OAuth credentials so you can revoke them if needed.
- Ask the author to remove the hard-coded client_secret and rely solely on the XIAOMI_CLIENT_SECRET env var (or confirm why the hard-coded value is present). Hard-coded secrets may indicate sloppy engineering or a leaked/stale credential.
- Inspect (or request) the full code beyond the truncated portion to confirm there are no additional unexpected network endpoints or data exfiltration.
- Verify the token cache path (~/.openclaw/skills/xiaomi-miot/data/token_cache.json) is acceptable for your threat model and ensure filesystem permissions are strict (owner-only).
If the author cannot justify or remove the embedded client_secret, treat this as a significant red flag and avoid installing it in production environments.Like a lobster shell, security has layers — review code before you run it.
latestvk9776rvj8vm1j22k8vhap7nbdh83ytdw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.