小米家居 (Xiaomi Home)

Security checks across malware telemetry and agentic risk

Overview

This Xiaomi smart-home skill is mostly purpose-aligned, but it handles account credentials and device-control tokens too loosely and includes a published private device-token file.

Review before installing. Remove and rotate any exposed Xiaomi device tokens if they belong to you, do not publish or commit token inventories, avoid passing account passwords on the command line, keep debug logging off, and require explicit confirmation before commands that power or change appliances, cameras, routers, or other physical devices.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 96% confidence
Finding: The skill declares no permissions, yet its documented behavior includes network access and writing device details to local files. This creates a transparency and trust problem: users and hosting platforms are not clearly informed that the skill can contact Xiaomi/cloud endpoints and persist sensitive device data locally.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The skill is presented as local-LAN control via miiocli, but the documented setup also includes cloud authentication, token extraction, 2FA/captcha handling, device enumeration, BLE key retrieval, and writing harvested account/device data to disk. That mismatch is dangerous because it can mislead users into granting sensitive Xiaomi credentials and exposing high-value secrets such as device tokens and beacon keys under the guise of simple local control.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This script logs into Xiaomi cloud, performs account and device enumeration across regions, and extracts highly sensitive device secrets such as local tokens and BLE beacon keys. That materially exceeds the stated skill purpose of local-LAN device control via miiocli and creates a credential-harvesting capability that could enable unauthorized control of devices and broader account compromise if the collected secrets are mishandled.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The code starts an unauthenticated local HTTP server on all interfaces ("", port 31415) to serve QR or captcha images. Even though the payload is only an image, exposing a listening service beyond localhost is unnecessary for the stated functionality and can leak login artifacts to other hosts on the network or create avoidable attack surface.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to extract and store Xiaomi device IPs and tokens, but provides no warning that these are sensitive credentials that enable direct control of physical devices. If exposed through logs, markdown files, or backups, attackers could remotely manipulate appliances on the local network and potentially pivot into broader home automation compromise.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill encourages direct state-changing commands for appliances such as smart plugs, humidifiers, and rice cookers without warning that these actions affect physical devices. In this context, mistaken, automated, or unauthorized commands can create safety, equipment, or property risks, especially for heating or cooking-related appliances.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The template explicitly tells users to record device IPs and authentication tokens in a markdown reference file so the agent can remember them. Xiaomi local LAN tokens are effectively credentials for device control, so storing them in plaintext documentation increases the risk of accidental disclosure through repository commits, logs, backups, or unintended agent access.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The debug logging emits the full login request fields, including the username, MD5 password hash, and login signing material. Anyone with console access, captured logs, CI output, terminal history collection, or support bundles could recover reusable authentication artifacts or sensitive account information.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The code logs session secrets such as ssecurity, pass tokens, locations, and service tokens during the QR/2FA login flows. These values are precisely the material needed to authenticate subsequent API calls, so exposing them in logs can directly enable account or device access by anyone who obtains the logs.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The file is designed as a persistent inventory for agent recall and includes a dedicated Token column, which encourages long-term storage of sensitive credentials in a human-readable reference file. In this skill's context, that is more dangerous because the skill controls physical IoT devices over the LAN, so leaked tokens could enable unauthorized device manipulation or reveal household device inventory and network details.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal