Xiaomi Home Control

v1.2.2

Control Xiaomi/Mijia smart home devices via Home Assistant using natural language to manage lights, AC, locks, fans, sensors, and more locally.

⭐ 0· 148·0 current·0 all-time

by@canmaxfire

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for canmaxfire/openclaw-xiaomi-home.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Xiaomi Home Control" (canmaxfire/openclaw-xiaomi-home) from ClawHub.
Skill page: https://clawhub.ai/canmaxfire/openclaw-xiaomi-home
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install openclaw-xiaomi-home

ClawHub CLI

Package manager switcher

npx clawhub@latest install openclaw-xiaomi-home

Security Scan

Capability signals

Requires OAuth tokenRequires sensitive credentials

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Benign

View report →

OpenClaw

Suspicious

high confidence

ℹ

Purpose & Capability

The skill's stated purpose (control Xiaomi devices via Home Assistant) matches the code and docs: the MCP server calls Home Assistant APIs and exposes tools for lights, climate, locks, sensors, etc. However the registry metadata claims no required env vars/credentials whereas SKILL.md, README, setup.sh and server code require and use a Home Assistant long-lived token (HA_TOKEN) and HA_URL — this metadata omission is an inconsistency.

Instruction Scope

SKILL.md and README describe a local-only design. The code enforces Bearer auth and restricts CORS to http://localhost, but the server does not explicitly bind to 127.0.0.1; it listens on the configured port on all interfaces by default. Origin/CORS restrictions only affect browsers; non-browser clients (or remote hosts that can reach the port) could attempt requests. The setup script also creates a LaunchAgent that will run the MCP server persistently. The documentation's claim 'MCP server only accepts requests from localhost' is therefore inaccurate/insufficient.

ℹ

Install Mechanism

This is mostly instruction-only with included helper scripts; there is no opaque remote install URL. Installation runs docker compose (pulling Home Assistant from ghcr.io) and npm install in the ha-mcp-server folder (package.json only depends on dotenv, but package-lock contains many entries). The setup script runs docker (including a fallback docker run with --privileged and host networking) and installs a LaunchAgent. These are expected for a local Home Assistant integration but grant the container broad host privileges and persistent behavior — standard for HA but worth noting.

Credentials

The skill requires a Home Assistant Long-Lived Access Token (HA_TOKEN) and HA_URL in an .env file for the MCP server to authenticate to Home Assistant. Requesting HA_TOKEN is appropriate for controlling Home Assistant, but the registry metadata did not declare any required env vars/primary credential (mismatch). The code reads .env from the skill directory and will include HA_TOKEN in Authorization headers to the local HA instance; ensure .env is protected (file permissions) because this token grants control over devices and automations.

Persistence & Privilege

The provided setup.sh installs a LaunchAgent under ~/Library/LaunchAgents to run the MCP server persistently and starts Home Assistant containers. Persistent LaunchAgents and a privileged Home Assistant container increase attack surface and permanence of the skill on the system. always:false (no forced inclusion), but the skill does persist itself as a per-user service if the user runs setup.sh.

What to consider before installing

Things to check before installing or running this skill: - Verify credentials metadata: the registry entry shows no required env vars, but the skill needs HA_TOKEN and HA_URL in scripts/ha-mcp-server/.env. Treat HA_TOKEN as highly sensitive — do not share it and restrict file permissions (chmod 600). - Network exposure: the code enforces Bearer auth and CORS but does not bind the MCP server explicitly to 127.0.0.1. By default Node will listen on all interfaces. If you only want local access, edit scripts/ha-mcp-server/src/http-server.mjs to bind to 127.0.0.1, or use a firewall rule to block external access to the MCP port (default 3002). - Persistence: setup.sh installs a LaunchAgent to keep the MCP server running. Review the generated plist before loading it, and remove/unload it when you no longer want the service. - Docker privileges: the docker-compose/run uses --privileged and host networking for Home Assistant. This is common for HA but increases host privileges. Only run it on a trusted machine. - Validate the code and sources: if you obtained the skill from this bundle rather than an official repo, consider auditing the small server files (http-server.mjs and call-tool.mjs) yourself or sourcing the project from a maintained upstream repository. Confirm package.json and package-lock integrity before running npm install. If you want a conservative safe setup: do not run setup.sh unmodified. Instead (a) manually create the .env with HA_URL and HA_TOKEN, (b) run the MCP server bound to 127.0.0.1, (c) use firewall rules to block remote access to the MCP port, and (d) only enable the LaunchAgent after inspecting the plist.

✗

scripts/ha-mcp-server/src/call-tool.mjs:22

Environment variable access combined with network send.

scripts/ha-mcp-server/src/call-tool.mjs:7

File read combined with network send (possible exfiltration).

scripts/ha-mcp-server/src/http-server.mjs:7

File read combined with network send (possible exfiltration).

Patterns worth reviewing

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk976c14qqfades4cjp3nat3zgx85fha7

148downloads

0stars

8versions

Updated 4d ago

v1.2.2

MIT-0

Xiaomi Home Control

Your OpenClaw can now control your smart home. Connect to Xiaomi/Mijia devices through Home Assistant and control everything with plain text or voice.

What It Does

Just tell your AI what you want:

"Turn on the living room light"
"Set bedroom AC to 26 degrees"
"Is the front door locked?"
"What's the temperature?"
"Lock all doors"
"Turn off all lights"

Done. No apps. No switching. No pointing and clicking.

What You Can Control

Category	Examples
💡 Lights	Turn on/off, adjust brightness
❄️ Air Conditioning	Set temperature, mode, fan speed
🔐 Door Locks	Lock/unlock from anywhere
🌡️ Sensors	Temperature, humidity, motion
💨 Fans & Humidifiers	On/off, speed control
🪟 Blinds & Curtains	Open/close
🤖 Robot Vacuums	Start, stop, return to charger

Works with 1837+ Xiaomi/Mijia devices via the official Xiaomi Home integration.

Setup (One Time)

# 1. Start Home Assistant
docker compose up -d

# 2. Connect your Xiaomi devices
# (open localhost:8123 → add Xiaomi Home integration)

# 3. Install the control server
cd scripts/ha-mcp-server && npm install

# 4. Done

Full guide in README.md.

How It Works

You → "Turn on the light"
  ↓
OpenClaw AI
  ↓
Home Assistant (your local server)
  ↓
Xiaomi Device

All on your local network — no cloud, no subscription.

Why It's Better

Before	After
Open app → find device → tap	Just say what you want
One device at a time	Control everything at once
Can't do it remotely	Through AI assistant from anywhere
Remember which app for which device	Describe it in plain English

Privacy

Everything stays on your home network
No cloud dependency after setup
No data collection or tracking
Runs on your own hardware

Example Commands

"Turn on the living room light"
"Dim the bedroom to 30%"
"Set AC to cool mode at 24 degrees"
"Is the door locked?"
"Lock the front door"
"What's the living room temperature?"
"Turn off all lights"
"Open the blinds"
"Start the vacuum"

Comments

Loading comments...