ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

小米家居 (Xiaomi Home)

[English] Control Xiaomi Home devices via local LAN using miiocli. Supports status checks, toggling power, and MIOT property manipulation for devices like smart plugs, humidifiers, and rice cookers. | [中文] 通过局域网利用 miiocli 控制米家智能设备。支持查看状态、开关控制以及对智能插座、加湿器、电饭煲等 MIOT 设备的属性调优。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
3 · 3.3k · 15 current installs · 18 all-time installs
by@Pegasus02
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (local LAN control via miiocli) matches the provided artifacts: SKILL.md maps intents to miiocli commands and a token_extractor.py is included to obtain device IPs/tokens. Requiring miiocli only is proportionate. However the metadata contains a platform-specific pipx install command (references /Users/$(whoami)/.local/...), and the repository ships a pre-filled 'my_private_devices.md' containing many device IPs and 32‑byte tokens — that file is unexpected for a generic skill and leaks sensitive data.
!
Instruction Scope
SKILL.md explicitly instructs the user (or agent) to run scripts/token_extractor.py to fetch Xiaomi cloud tokens; the script requests Xiaomi account credentials, interacts with Xiaomi cloud endpoints, and can open a local HTTP server for auth flows. Those actions are coherent with the stated goal but expand the skill's scope to collecting sensitive account credentials and device tokens. Additionally, the repository already includes references/my_private_devices.md with many clear-text tokens and IPs (marked 'DO NOT PUBLISH'), which contradicts best practices and is a direct sensitive-data exposure.
Install Mechanism
The skill is instruction-only (no formal install spec), which is lower risk. The skill metadata suggests an install step that runs: 'pipx install python-miio && /Users/$(whoami)/.local/pipx/venvs/python-miio/bin/python -m pip install "click<8.1.0"'. That command is macOS/user-home-centric and brittle (hardcoded user path pattern) and not cross-platform. The SKILL.md does not declare or install other Python runtime deps referenced by token_extractor.py (requests, Pillow, Crypto/Cryptodome, colorama), creating an inconsistency in declared vs required installs.
!
Credentials
The skill does not declare environment variables, which is fine. But runtime instructions (and the included script) require Xiaomi account credentials and produce device tokens — legitimate for the purpose but high-risk. More importantly, the repo already contains references/my_private_devices.md populated with multiple real-looking tokens and IPs. Including third-party device tokens in the skill bundle is inappropriate and a direct sensitive-data leakage; it makes the package risky to distribute or run without cleaning those files.
Persistence & Privilege
The skill does not request 'always: true' and does not declare system-wide modifications. It is instruction-only with no install that writes to system paths (aside from the metadata's suggested pipx install which operates in the user's home). There is no evidence the skill attempts to modify other skills or global agent settings.
What to consider before installing
What to consider before installing/using this skill: - The skill will ask you to run a token-extractor script that requires your Xiaomi account credentials and will retrieve device IPs and 32‑byte local tokens. This is necessary to control devices locally but is sensitive: only run on a machine you control and trust. - The repository includes a file (references/my_private_devices.md) containing multiple clear-text device tokens and IPs. Treat that as exposed secrets: delete or sanitize that file before using or sharing this skill, and do not assume the shipped tokens are yours. - The metadata's install command is macOS/user-home specific and brittle. Review and run install commands manually rather than blindly copy/pasting; consider installing in a virtual environment or disposable VM. - Inspect scripts/token_extractor.py yourself: it talks to Xiaomi cloud endpoints (api.io.mi.com) and may open a local HTTP server for auth flows — verify there are no unexpected external endpoints before entering credentials. - Prefer running the token extraction in an isolated environment (VM, container) and keep extracted tokens in a local, private store (not in the repo). Rotate/change account credentials if you suspect any exposure. If you want, I can: (1) scan token_extractor.py for any network calls beyond Xiaomi endpoints, (2) highlight exactly which libraries it imports and which install commands are needed, or (3) produce a safe step-by-step runbook to extract tokens locally and store them securely.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.2.1
Download zip
latestvk972dsjhm6wqsfapgczzpr126980hxsr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏠 Clawdis
Binsmiiocli

SKILL.md

Xiaomi Home Control 🏠 | 小米家居控制

[English] | 中文

English

Enable code-level control of Xiaomi (Mi Home) devices over the local network.

🚀 Features

  • Local Network Control: Fast, direct communication without relying on heavy cloud APIs.
  • Built-in Token Extractor: Includes a script to easily fetch your device IPs and Tokens from Xiaomi Cloud.
  • Pre-configured Workflows: Ready-to-use commands for smart plugs (e.g., water heaters), humidifiers, and rice cookers.
  • Automatic Dependency Fix: Solves common library conflicts (like the click version issue) automatically.

🛠️ Setup & Device Inventory

  1. Tokens: Obtain device IPs and Tokens using the bundled script: 
    python3 scripts/token_extractor.py
  2. Registry: Store your device details in references/devices.md or references/my_private_devices.md.

🤖 Natural Language Intents

When the user gives a command, map it to the corresponding miiocli operation:

User IntentDevice TypeActionTechnical Command (Example)
"Turn on water heater"Smart PlugPower ONmiiocli miotdevice --ip <IP> --token <TOKEN> raw_command set_properties '[{"siid": 2, "piid": 1, "value": true}]'
"Turn off water heater"Smart PlugPower OFFmiiocli miotdevice --ip <IP> --token <TOKEN> raw_command set_properties '[{"siid": 2, "piid": 1, "value": false}]'
"Humidifier to max"HumidifierSet Modemiiocli miotdevice --ip <IP> --token <TOKEN> set_property_by 2 5 3
"Is rice cooked?"Rice CookerCheck Statusmiiocli cooker --ip <IP> --token <TOKEN> status

中文说明

实现在局域网内对小米(米家)智能家居设备的代码级直接控制。

🚀 核心特性

  • 本地化控制:直接在局域网内通信,响应极快,不完全依赖复杂的云端 API。
  • 内置 Token 提取器:自带提取脚本,轻松从小米账号同步所有设备的 IP 和 32 位 Token 密钥。
  • 预设工作流:支持智能插座(如热水器控制)、加湿器、米家小饭煲等多种常见设备。
  • 自动环境优化:安装时自动处理 Python 依赖冲突(如 click 版本问题),确保开箱即用。

🛠️ 快速开始

  1. 获取钥匙:运行内置的提取脚本: 
    python3 scripts/token_extractor.py
  2. 配置列表:将您的设备信息填入 references/devices.md
  3. 下达指令:对着机器人喊:“打开热水器”或“查看加湿器状态”。

🔗 Links | 相关链接

Developed with 🦞 by @Pegasus02

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…