ClawHub

Xiaomi Miot

Security checks across malware telemetry and agentic risk

Overview

The skill is related to Xiaomi smart-home access, but it asks users to provide Xiaomi passwords and verification codes through chat or Feishu and stores reusable tokens with weak safeguards.

Review carefully before installing. Only use this if you are comfortable entering Xiaomi account credentials and verification codes into an assistant or Feishu workflow; prefer a dedicated low-privilege Xiaomi account, restrict or delete the token cache, and avoid using it for accounts that protect sensitive home devices until it supports safer delegated login and clearer revocation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation indicates use of environment variables, local file storage, and network access, but no declared permissions are provided. This weakens platform transparency and consent boundaries because users and reviewers cannot easily assess that the skill reads secrets, writes token caches, and contacts external Xiaomi and Feishu services. In a smart-home skill that also handles authentication, undeclared capabilities increase risk because they hide access to sensitive data and external communications.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The stated purpose is simple Xiaomi smart-home control, but the documented behavior includes collecting account credentials, CAPTCHA handling, authenticating to Xiaomi services, using Feishu APIs, and persisting tokens locally. This mismatch is security-relevant because users may invoke what appears to be a device-control skill without realizing it performs credential capture and third-party messaging integration. In this context, the mismatch materially increases the chance of unsafe consent and misuse of highly sensitive login data.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file implements Xiaomi credential collection, authentication, captcha handling, and device enumeration inside a Feishu-facing skill, which materially expands the capability beyond simple device-control phrasing in the metadata. In this context, asking users to enter third-party account passwords into an in-chat card increases phishing and secret-handling risk, especially because the code then uses those credentials directly against Xiaomi APIs.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill builds Feishu interactive cards specifically to solicit Xiaomi account credentials and captcha input, routing sensitive authentication material through the chat platform workflow. Even if the card payload itself only defines UI elements, the feature is designed to induce users to submit secrets in a context that is not clearly an official Xiaomi login surface, making credential theft or mishandling more likely.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The implementation does not match the described skill purpose: it performs account login and device inventory retrieval, but contains no device-control operations. This mismatch increases user deception risk because users may grant sensitive Xiaomi credentials expecting limited smart-home control, while the code actually collects account access and enumerates devices.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill requires raw Xiaomi username/password-style credentials and performs password-based OAuth login, which is materially broader and more sensitive than the manifest's narrow control description suggests. In the context of a smart-home skill, collecting full account credentials creates unnecessary account-takeover and privacy risk if the environment, logs, host, or downstream code are compromised.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Broad trigger phrases like ordinary smart-home commands can cause accidental invocation during normal conversation. For a skill that can authenticate, enumerate devices, trigger scenes, and control physical devices, unintended activation can lead to privacy issues or unauthorized actions in the home environment. The smart-home context makes this more dangerous because commands affect real-world devices and routines.

Missing User Warnings

High
Confidence
97% confidence
Finding
The markdown explicitly instructs users to provide phone number, password, and verification code, but does not provide a strong privacy and security warning at the point of collection. This is dangerous because users may disclose credentials in plain chat without understanding retention, exposure to platform operators, logs, or compromise of the agent environment. Because these are primary account credentials for a smart-home ecosystem, compromise can expose device control and household information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code transmits Xiaomi account credentials to external Xiaomi authentication endpoints without any evident user-facing disclosure, consent language, retention policy, or warning that the skill is directly handling their password. In a chat-integrated smart-home skill, this omission is dangerous because users may reasonably assume account linking is handled by the platform or vendor rather than by the skill code itself.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Authentication token data is written to a local cache file without setting restrictive permissions, encryption, or explicit disclosure. On multi-user or poorly isolated systems, another local process or user could read the token cache and reuse the bearer token to access Xiaomi account resources.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The CAPTCHA image is written to a predictable path in /tmp, which is commonly shared and world-accessible on many systems. While the image is less sensitive than credentials, predictable temporary-file handling can expose account-login artifacts to other local users or enable file clobbering/symlink issues depending on runtime privileges.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code transmits username and password-derived authentication material to Xiaomi endpoints without an explicit consent or warning step in the operational flow. In this skill context, that matters because the manifest frames the capability as simple device control, while the implementation performs full account authentication and remote token exchange.

Ssd 3

High
Confidence
99% confidence
Finding
The skill instructs the agent to collect the user's Xiaomi account password and verification code directly through plain-text chat. This is highly dangerous because chat messages may be logged, retained, inspected by intermediaries, or exposed through prompt leakage and downstream integrations, turning the skill into a credential-harvesting channel. In a Xiaomi smart-home context, stolen credentials can enable takeover of connected devices, device inventory access, and abuse of household automations.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
print("=" * 50)
    
    username = os.environ.get("XIAOMI_USERNAME")
    password = os.environ.get("XIAOMI_PASSWORD")
    
    if not username or not password:
        print("\n请设置环境变量:")
Confidence
93% confidence
Finding
os.environ.get("XIAOMI_PASSWORD

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal