Xiaomi Air Purifier

The skill is classified as suspicious due to a significant prompt injection vulnerability in SKILL.md and sensitive data handling in scripts. The SKILL.md file instructs the AI agent to execute a command (`pnpm exec xmihome login -u <email/phone> -p <password> -c <country>`) that requires direct input of user credentials (email/phone and password). This is a high-risk operation for an AI agent, as it could lead to credential compromise if the agent's environment or logging is not perfectly secure. Additionally, `scripts/extract-token.js` prints sensitive device tokens to standard output, which could be captured if the agent's output is not properly secured. While the functionality is aligned with controlling a Xiaomi air purifier, these methods of handling and displaying sensitive authentication data represent critical vulnerabilities, not intentional malice.