Back to skill

Security audit

小米家居 (Xiaomi Home)

Security checks across malware telemetry and agentic risk

Overview

This smart-home skill is related to its stated purpose, but it handles Xiaomi account and device-control secrets too loosely and ships a private-looking token inventory.

Review carefully before installing. Do not publish or commit Xiaomi tokens, remove any real private inventory from the package, rotate exposed device tokens where possible, keep debug logging off, avoid passing passwords on the command line, and require explicit confirmation before controlling heaters, cookers, cameras, routers, or other physical devices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares no permissions while its documented behavior includes network access and writing sensitive device inventory details to files. This weakens user consent and review because the actual capability surface is broader than the manifest suggests, especially in a skill that handles device tokens and cloud-derived secrets.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The manifest presents the skill as local LAN control, but the documented functionality extends into Xiaomi cloud login, token extraction, 2FA/captcha handling, inventory enumeration, BLE key retrieval, and local HTTP serving. This is a significant behavior mismatch that can mislead users into providing credentials and exposing device secrets under the assumption that the skill is only performing local control.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The description emphasizes local-LAN control, yet the documentation explicitly includes Xiaomi Cloud token extraction. That inconsistency can cause users and reviewers to underestimate the sensitivity of the skill, since cloud token extraction involves account-linked secrets beyond simple LAN device commands.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Including Xiaomi Cloud credential and token extraction in a skill framed as local device control introduces a sensitive capability that is not clearly necessary or justified in the manifest. Because extracted tokens can enable direct device access, this expands the attack surface and can expose long-lived secrets if mishandled.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This script performs full Xiaomi cloud authentication, enumerates homes/devices across regions, and extracts device tokens and BLE beacon keys. That materially exceeds the stated skill purpose of local-LAN control via miiocli and introduces collection of highly sensitive account- and device-level secrets that could enable broader unauthorized access.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script starts an unauthenticated local HTTP server bound to all interfaces on port 31415 and serves QR/captcha images to any host that can reach it. While intended as a convenience feature, it exposes authentication artifacts beyond the core LAN-control purpose and may leak login material or session-related verification content on multi-user or exposed networks.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code explicitly retrieves and outputs sensitive device secrets, including LAN tokens and BLE beacon keys, and later writes aggregated device data to an output file. Those secrets can be used to control devices or impersonate them, so collecting and exporting them is far more sensitive than ordinary device status/control behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs users to run a token extractor against Xiaomi Cloud without warning that it may handle highly sensitive credentials, 2FA flows, device tokens, and possibly BLE keys. Those secrets can enable unauthorized device control and broader household inventory disclosure if leaked through logs, screenshots, files, or shell history.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions tell users to store device IPs and tokens in markdown files without any warning about securing those files. Plaintext storage of network addresses and authentication tokens makes accidental disclosure via backups, version control, shared folders, or other local tools much more likely, enabling unauthorized device access.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The template explicitly tells users to record device IPs and Xiaomi LAN tokens in a markdown file intended to help the agent remember them. These tokens are effectively credentials for local device control, so storing them in a plain reference document without any warning about sensitivity, access controls, or secure storage increases the chance of accidental disclosure through repository sharing, logs, backups, or agent context exposure.

Missing User Warnings

High
Confidence
99% confidence
Finding
This file contains live-looking Xiaomi device credentials, including device tokens, private IP addresses, models, and network segmentation details. Even though the IPs are private RFC1918 addresses, the tokens can enable unauthorized control of devices by anyone with LAN access or follow-on access to the relevant networks, and the inventory materially aids lateral movement and targeting of cameras, routers, and other smart devices.

Missing User Warnings

High
Confidence
99% confidence
Finding
Debug logging includes the full login request fields and server response during authentication, which exposes sensitive values such as the password-derived MD5 hash and returned account secrets like ssecurity, passToken, and related identifiers. Anyone with access to logs could reuse or abuse these artifacts for account or device access.

Missing User Warnings

High
Confidence
99% confidence
Finding
The QR login flow logs ssecurity, pass token, location, and user identifiers after successful authentication. These are account security artifacts, and exposing them in logs can allow session replay, secret reuse, or offline collection by other local users or log processors.

Missing User Warnings

High
Confidence
99% confidence
Finding
The serviceToken is written directly to debug logs after retrieval. The serviceToken is a high-value session credential, so leaking it to logs can provide immediate unauthorized access to Xiaomi cloud APIs and downstream device metadata.

Ssd 3

Medium
Confidence
97% confidence
Finding
The file is framed as agent memory, encouraging users to place sensitive device-control secrets into natural-language documentation that may be ingested, indexed, or surfaced by the agent. In this skill context, those tokens enable direct control of Xiaomi devices on the LAN, so disclosure could allow unauthorized switching, property manipulation, and inventorying of the home environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.