ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Midea Cloud Control

Connect and control Midea devices through the Midea cloud with a local cached account/device config. Use when a user wants to connect a Midea account, list d...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 81 · 0 current installs · 0 all-time installs
byFook@fooklook
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match what the skill does: it logs into Midea cloud, enumerates devices, caches device metadata, and sends power toggle commands. However the package references the Python library midealocal and aiohttp (and mentions midea-local==6.6.0 in api-notes) but the skill metadata declares no dependencies or install steps — a missing dependency declaration is an operational mismatch.
Instruction Scope
SKILL.md explicitly instructs the agent to write two Python files from the included markdown blobs and execute them. That behavior is consistent with the purpose but is a capability worth noting: the skill writes code to disk and executes it locally. The runtime commands use 'uv run python ...' (a runtime helper that is not declared in required binaries), which is another operational mismatch that may cause failures if 'uv' is not available.
Install Mechanism
There is no install spec (instruction-only), which limits remote code fetch risk. All code to be executed is included in the package as markdown blobs. That reduces supply-chain risk, but the skill still requires third-party Python packages (midealocal, aiohttp) that must already be installed or be installed by other means — this is not declared.
Credentials
The only sensitive data collected are the user's Midea account and password, which the skill legitimately needs. The generated code saves account/password in plaintext under ~/.openclaw/midea-cloud-control/config.json; the SKILL.md instructs to warn the user first, which is appropriate, but plaintext storage is a privacy risk and should be handled with caution (encrypted storage or OS credential store would be safer). No unrelated credentials or env vars are requested.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide agent settings. It does create local files and a per-user config file in the home directory (its own workspace and ~/.openclaw/...); this is expected for caching credentials and device metadata.
Assessment
This skill appears to do what it claims, but review and take these precautions before installing or running it: 1) Inspect the two generated files (generated-config-store.md and generated-midea-skill-cli.md) yourself — they are included in the package and will be written and executed locally. 2) Be aware the skill stores your account and password in plaintext at ~/.openclaw/midea-cloud-control/config.json; only proceed if you accept that storage risk, or modify the code to use encrypted storage or the OS credential store. 3) Ensure the runtime environment has the required Python packages (midealocal and aiohttp) and the 'uv' runner (or adjust the commands to use your Python). The skill metadata does not declare these dependencies. 4) Run the skill in an isolated environment (virtualenv, container, or throwaway account) if you want to limit blast radius. 5) After use, consider deleting the config.json file if you no longer want credentials stored. 6) If you need stronger guarantees, prefer a skill that uses OAuth or official SDK flows rather than storing passwords, or verify the midealocal package version/source before use.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
air-conditionervk978n6az7kyd6r6dd8g809kdh9834jxzcloud-controlvk978n6az7kyd6r6dd8g809kdh9834jxzdevice-controlvk978n6az7kyd6r6dd8g809kdh9834jxzlatestvk978n6az7kyd6r6dd8g809kdh9834jxzmideavk978n6az7kyd6r6dd8g809kdh9834jxzsmart-homevk978n6az7kyd6r6dd8g809kdh9834jxz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Midea Cloud Control

This is a pure-text publishable skill for ClawHub.

The uploaded skill folder contains only Markdown/text files. When the skill is first used, OpenClaw should write local helper scripts from the code blocks stored in references/generated-config-store.md and references/generated-midea-skill-cli.md, then execute those local scripts.

Use this skill only for the minimum verified workflow:

  • connect a user's Midea cloud account
  • read and cache device information locally
  • power a named device on or off

Do not promise features that are not yet verified, including:

  • temperature control
  • real-time state reads
  • indoor temperature reads
  • mode switching

Bootstrap step (first use only)

Before handling connect/list/toggle requests, ensure the following two local files exist in a local working directory, for example skills_runtime/midea-cloud-control/ under the workspace:

  • config_store.py
  • midea_skill_cli.py

If they do not exist:

  1. Read references/generated-config-store.md
  2. Extract the Python code block and write it locally as config_store.py
  3. Read references/generated-midea-skill-cli.md
  4. Extract the Python code block and write it locally as midea_skill_cli.py
  5. Then run commands against the local generated midea_skill_cli.py

Suggested local runtime directory:

skills_runtime/midea-cloud-control/

Conversation workflow

Intent A: connect Midea account

When the user says things like:

  • 我想连接美的设备
  • 帮我配置美的账号
  • 连接我的美的空调

Do this:

  1. Tell the user credentials will be saved locally at ~/.openclaw/midea-cloud-control/config.json.
  2. Ask for account and password if they have not provided them yet.
  3. Ensure the bootstrap step above has been completed.
  4. Run:
uv run python skills_runtime/midea-cloud-control/midea_skill_cli.py connect --account "<ACCOUNT>" --password "<PASSWORD>"
  1. If success, summarize devices as:
    • device name
    • device id
    • model
    • home
  2. If failure, show the returned failure reason clearly.

Intent B: list connected devices

When the user asks to list devices:

  1. Ensure the bootstrap step above has been completed.
  2. Run:
uv run python skills_runtime/midea-cloud-control/midea_skill_cli.py list

If config is missing, tell the user to connect account first.

Intent C: power on/off by device name

When the user says things like:

  • 打开儿童房空调
  • 关闭主卧空调
  • 打开“客厅空调”

Do this:

  1. Ensure the bootstrap step above has been completed.
  2. Run one of:
uv run python skills_runtime/midea-cloud-control/midea_skill_cli.py toggle --device-name "儿童房空调" --power on
uv run python skills_runtime/midea-cloud-control/midea_skill_cli.py toggle --device-name "儿童房空调" --power off

Then:

  1. Report that the cloud command was sent.
  2. Do not claim physical success unless the user confirms the device reacted.
  3. If the device name is missing from cache, tell the user to reconnect or list devices first.

Safety and privacy

  • Always warn before first-time credential storage.
  • Do not echo passwords back in normal chat responses.
  • Keep the response focused on success/failure and device summary.

Resources

references/

  • references/api-notes.md — validated scope and limitations
  • references/generated-config-store.md — source code to generate local config_store.py
  • references/generated-midea-skill-cli.md — source code to generate local midea_skill_cli.py

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…