Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ha Xiaomi Control
v0.1.0Control Xiaomi smart home devices via Home Assistant API. Use when user wants to control Xiaomi or Xiao AI devices such as air conditioner, speakers, and lig...
⭐ 0· 238·0 current·0 all-time
byXB Yan@pipluuup
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, SKILL.md, and the included Python script all describe Home Assistant control and the included entity IDs align with that purpose. However, the registry metadata declares no required environment variables or primary credential even though both the SKILL.md and script expect an HA access token (HA_TOKEN) and optionally HA_URL; this mismatch is unexpected and should be corrected.
Instruction Scope
Runtime instructions and the script only call the user's Home Assistant API endpoints to trigger services (curl examples and a Python helper). They do not reference external network endpoints beyond the HA_URL. Concern: SKILL.md tells the agent to 'Load configuration from TOOLS.md → 智能家居' but TOOLS.md is not included or referenced in metadata — that is an ambiguous external dependency and could allow unintended config lookups.
Install Mechanism
There is no install spec (instruction-only + small script included). The Python script is small, readable, and uses standard libraries (urllib). No downloads or archive extraction occur. This is low-install risk.
Credentials
The skill needs sensitive credentials (HA access token) and optionally a HA_URL, but the registry metadata lists no required env vars or primary credential. The SKILL.md and script expect HA_TOKEN (and use HA_URL, defaulting to a specific local IP). Requiring a token is proportionate to the task, but failing to declare it is a configuration omission that could confuse users and lead to accidental exposure or misconfiguration.
Persistence & Privilege
The skill does not request permanent presence (always=false), does not modify other skills or system config, and does not persist credentials itself. Autonomous invocation is allowed (platform default) but this is not combined with other high-privilege requests.
What to consider before installing
This skill appears to do what it claims (call Home Assistant services for Xiaomi devices), but take these precautions before installing:
- Expect to provide an HA access token (HA_TOKEN) and optionally HA_URL; the skill metadata fails to declare these — verify with the author and prefer a skill that lists required credentials explicitly.
- The SKILL.md defaults HA_URL to a specific local IP (http://192.168.31.35:8123) — change that to your HA instance or remove the default to avoid accidental calls to someone else's host.
- The SKILL.md references TOOLS.md (智能家居) which is not included; ask where that file lives and what it may contain before allowing the skill to read it.
- Review the included scripts/ha_control.py yourself (it's short and readable). It prints HTTP responses (which may reveal device state) but does not log the token. Ensure the runtime environment protects the token (use a secure secret store or environment variable with least privilege).
- If you will expose Home Assistant remotely, use HTTPS and a scoped long-lived token. Consider running the skill in a sandboxed agent or with a token that has minimal permissions for the entities the skill needs.
If you cannot confirm the missing metadata (required env vars and location of TOOLS.md) or you do not trust the default HA_URL, treat the skill cautiously or ask the author to correct the declarations before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97chg4a6wggdx3s8gtykzcw3182mmhc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.