ClawHub

Xiaomi Air Purifier

Security checks across malware telemetry and agentic risk

Overview

This skill is for controlling a Xiaomi air purifier, but it exposes and stores reusable device tokens in ways users should review carefully before installing.

Install only if you are comfortable giving the skill access to your Xiaomi account session and reusable local device tokens. Avoid running scripts/extract-token.js, remove or rotate the hardcoded token in scripts/test-local.js, keep config.json private and out of backups or repositories, and prefer an isolated Xiaomi account or test environment for evaluation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
76% confidence
Finding
The skill documentation indicates use of environment-backed capabilities while declaring no permissions, which creates a transparency and least-privilege problem. For a skill that handles cloud-connected device control and likely credentials or tokens, undeclared env access can conceal sensitive data handling from reviewers and users.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
This is a substantive description-behavior mismatch, not just a documentation gap. The behavior includes extracting device tokens, local-network control, local caching of IPs/tokens, expanded telemetry collection, and a hardcoded local-access test path, all of which materially increase the attack surface and sensitivity beyond the stated Mi Cloud monitoring/control purpose.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script explicitly enumerates devices and prints each device's IP address and authentication token to stdout. Device tokens are sensitive secrets that can enable unauthorized direct control of Xiaomi devices, and exposing them is not required for the stated air-purifier monitoring/control purpose.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The script reads a local credential file from the user's home directory and uses it to query Mi Cloud for device data, including secrets. Accessing local credential stores to extract authentication material is unrelated to normal purifier operation and creates a path for credential theft and unauthorized account/device access.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script exposes writable properties for buzzer, child lock, and brightness in addition to the user-described power/mode/level controls. That expands the effective control surface beyond the stated skill scope, creating a capability mismatch where an invoking agent or user may trigger device changes they did not reasonably expect.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The parser also accepts an undocumented brightness command, which is a smaller but still real scope expansion beyond the stated control contract. While lower impact than lock or power control, undocumented device mutations erode transparency and can be abused by higher-level agents relying on the manifest.

Description-Behavior Mismatch

Low
Confidence
92% confidence
Finding
The parser also accepts an undocumented brightness command, which is a smaller but still real scope expansion beyond the stated control contract. While lower impact than lock or power control, undocumented device mutations erode transparency and can be abused by higher-level agents relying on the manifest.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The setup requires direct entry of Mi Cloud credentials but provides no warning or guidance for secure handling of those credentials. In a skill that controls physical devices and may also expose device tokens, poor credential handling can lead to account compromise, unauthorized device control, and leakage of linked home-device metadata.

Missing User Warnings

High
Confidence
97% confidence
Finding
The code accesses sensitive account-derived data and then displays device identifiers, IPs, and tokens without any warning, masking, or consent. Printing secrets to logs/console greatly increases the chance of disclosure through terminal history, shared logs, screenshots, or downstream tooling.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script persists highly sensitive device metadata, including local tokens and IP addresses, into config.json. Those tokens can enable unauthorized local control of the purifier if the file is read by another local user, a compromised process, or accidentally exposed through backups or repository inclusion.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal