Ha Xiaomi Control
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its smart-home control purpose, but it uses a Home Assistant token with a generic API helper that can call arbitrary Home Assistant services, not just the listed Xiaomi devices.
Install only if you are comfortable letting the agent control your Home Assistant instance. Before use, set HA_URL to your own Home Assistant server, protect HA_TOKEN, and preferably restrict the script to only the specific entities and services you want controlled.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or a user supplies the wrong service or entity, it could control unintended Home Assistant devices or invoke broader Home Assistant automations allowed by the token.
The helper is a generic Home Assistant service caller. It accepts the entity ID, service path, and JSON data from arguments and posts to /api/services/{service}, with no allowlist limiting it to the documented Xiaomi devices.
python ha_control.py <entity_id> <service> [data_json]
Restrict the helper to an explicit allowlist of approved Xiaomi/Xiao AI entities and services, and require clear user confirmation before physical device changes.
Anyone or anything with access to the token may be able to control Home Assistant devices permitted by that token.
A Home Assistant bearer token is sensitive account authority. This is expected for the integration, but users should notice it because the registry metadata lists no primary credential or required environment variables.
Access Token: Read from user's environment or TOOLS.md
Use a least-privilege Home Assistant token if possible, store it securely, avoid putting it in shared files, and declare the credential requirement clearly.