mxchip-smart-control

v1.0.2

Control smart home devices configured in Smart Plus APP. Use when you need to: (1) Query devices and scenes (lights, AC, switches), (2) Control device power...

⭐ 1· 130·0 current·0 all-time

bymxchip@mxchipyun·duplicate of @kagxin/smart-control-skill

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

The name/description, SKILL.md, skill.json, README, and the Python client all describe the same purpose (querying and controlling Smart Plus devices via MXCHIP MCP). The only credential required (MXCHIP_OAUTH_TOKEN) is consistent with a remote API client.

✓

Instruction Scope

SKILL.md instructs the agent to set an OAuth token, install the 'requests' dependency, and call methods that query or control devices. There are no instructions to read arbitrary local files, other environment variables, or to transmit data to endpoints other than the documented MXCHIP endpoints.

ℹ

Install Mechanism

This is an instruction‑only skill (no platform install spec) but contains a Python client and requirements.txt (requests). The package does not include a formal install specification for the platform — users will need to install dependencies (pip install requests) themselves. That is not malicious but is a minor packaging/UX omission to be aware of.

ℹ

Credentials

The code legitimately requires a single OAuth bearer token (MXCHIP_OAUTH_TOKEN) to call the MXCHIP MCP API. However, the top-level registry summary in the provided metadata claims 'Required env vars: none' while skill.json and SKILL.md require MXCHIP_OAUTH_TOKEN — this metadata inconsistency should be clarified before install.

✓

Persistence & Privilege

The skill does not request permanent/always inclusion, does not modify other skills, and only uses the provided token to authenticate to its documented MCP endpoint. Autonomous invocation is allowed (platform default) but is not combined with other red flags here.

Assessment

This package appears to be a normal MXCHIP/MCP client that requires a Smart Plus OAuth token. Before installing: (1) Verify the publisher (the repository claims Shanghai MXCHIP — confirm via official MXCHIP channels if you need assurance), (2) be aware you must supply MXCHIP_OAUTH_TOKEN and that this token gives remote control over your devices — keep it secret and do not paste it into untrusted places, (3) the package lacks a platform install spec; you or the platform will need to install Python 'requests' and ensure the code runs in a safe environment, and (4) correct the metadata mismatch: registry summary shows no env vars while skill.json and SKILL.md require MXCHIP_OAUTH_TOKEN. If you are comfortable with giving this skill access to your Smart Plus account token and you trust the publisher, the package is coherent with its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk973fnb1aaweds31f4p257038983henp

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

mxchip-smart-control

License

Comments