ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mijia Control

v1.1.0

Control Xiaomi Mi Home (米家) smart devices via Xiaomi Cloud API. Use when: user wants to control smart home devices (lights, AC, heater, bath heater, switches...

0· 109·1 current·1 all-time
byPL Uncle@jasonzhang2015
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and instructions implement Mi Home cloud control (uses micloud, calls MiCloud APIs, provides get/set/scene/tts/batch actions) which matches the skill description. However the repository contains a device registry and home_id hard-coded for a specific household (labels like 'BOSS home', many DIDs, home_id=159001331072). That makes the package appear tailored to a particular user's environment rather than a generic, reusable controller.
Instruction Scope
Runtime instructions and scripts operate within the Xiaomi API domain and the user's home directory: they read/write ~/.mijia_creds.json, cache devices to ~/.mijia_devices.json, and maintain ~/.fish_feed_state.json. They also instruct manual browser-based login steps. Instructions do not attempt to read unrelated system files or call unexpected external endpoints, but they do require storing sensitive credentials locally and will poll cloud device event logs (expected for this functionality).
Install Mechanism
There is no automated install/download step; this is instruction-plus-source included in the bundle. The only external install required is the micloud Python package (pip3 install micloud), which is a normal dependency for this functionality. No remote arbitrary archives or URL downloads are used.
!
Credentials
No environment variables are requested, and the credential storage (~/.mijia_creds.json) is proportionate for a cloud API client. However the bundle embeds many device IDs, models, and a home_id specific to one household. Those entries are sensitive (device identifiers and home_id) and are not required for a generic controller; their presence is disproportionate and may leak another person's home layout or identifiers if this package is shared or published.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or system-wide agent settings. It writes only to files within the user's home (~/.mijia_creds.json, ~/.mijia_devices.json, ~/.fish_feed_state.json) which is expected for caching/credential/state; autonomous invocation is allowed (platform default) but not an additional privilege requested by the skill.
Scan Findings in Context
[embedded_personal_device_ids_and_home_id] unexpected: The bundle contains a devices.json with many hard-coded DIDs, models, and a home_id. A generic Xiaomi controller would normally not ship with another user's personal device registry; this appears tailored to a single household and is a privacy/exposure risk.
[local_credential_file_usage] expected: The skill reads/writes ~/.mijia_creds.json for serviceToken/ssecurity and caches devices to ~/.mijia_devices.json; storing credentials locally is expected for a cloud-client script, but users should verify the file contents and protect the file (SKILL.md notes chmod 600).
[cron_polling_and_state_file] expected: fish_auto_feed.py is designed to be run periodically and stores a per-day state in ~/.fish_feed_state.json. This behavior is consistent with the described auto-feeding automation, but it does mean periodic network access to the Xiaomi cloud is performed.
What to consider before installing
Before installing or running this skill, consider the following: - This package appears to be customized for a specific home: it includes hard-coded device IDs and a home_id. If you do not own those devices, do not use the pre-filled references — remove or replace them with your own device IDs. - The skill requires Xiaomi cloud credentials saved to ~/.mijia_creds.json (serviceToken, ssecurity, userId). Only create that file if you trust the code; protect it (chmod 600) and do not share it. Prefer to run the login flow locally and verify credentials yourself. - The scripts will write cache/state files to your home directory (~/.mijia_devices.json and ~/.fish_feed_state.json). Review these files for sensitive data before sharing. - The code depends on the third-party micloud Python package. Review that package and install it from a trusted source (pip) in a controlled environment (virtualenv) if possible. - If you plan to enable the auto-feed cron behavior, be aware it will poll your cloud account periodically — only enable it if you intend that background activity. - Recommended actions: inspect and remove any embedded device/home identifiers that don't belong to you; run the scripts in a sandbox or non-privileged account first; rotate Xiaomi credentials if you ever load them into an environment you don't fully trust. - If you are not the owner of the listed devices (the bundle's 'BOSS home'), treat these files as containing someone else's private information and avoid uploading or publishing them.

Like a lobster shell, security has layers — review code before you run it.

iotvk972wddt6jcyyte50y3s3ekem5838px5latestvk972wddt6jcyyte50y3s3ekem5838px5mijiavk972wddt6jcyyte50y3s3ekem5838px5smart-homevk972wddt6jcyyte50y3s3ekem5838px5xiaomivk972wddt6jcyyte50y3s3ekem5838px5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments