Xiaomi Air Purifier

The skill does what it says — it uses the xmihome library and Mi Cloud/local APIs to discover and control Xiaomi air purifiers — but it includes scripts that read local Mi Cloud credentials and print device tokens (and a sample file with a hard-coded token), which are sensitive and worth noting before use.

This skill appears to do what it claims, but it handles sensitive device credentials/tokens locally — review and treat those tokens like secrets. Before installing or running: (1) Inspect ~/.config/xmihome/credentials.json and understand that the scripts read it; (2) Do not run extract-token.js on shared/public machines unless you intend to list device tokens and IPs; (3) Remove or sanitize test-local.js (it contains a hard-coded token/IP/DID sample) before committing or sharing the repo; (4) Keep the generated config.json and any printed tokens private; (5) Consider running pnpm install and this tool in an isolated environment (container/VM) if you are unsure about npm package trust. If you want higher assurance, review the xmihome npm package source and the lockfile dependencies before use.