ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MiGPT Xiaomi Assistant

v1.0.0

Deploy MiGPT on a Xiaomi smart speaker to replace the built-in AI with a custom LLM-powered voice assistant. Use when: (1) setting up mi-gpt on a Xiaomi/Redm...

0· 387·1 current·1 all-time
by@tuituijcb
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Most of the files and instructions (config template, MIoT command mapping, streamResponse handling, latency guidance) are coherent with the stated goal of deploying MiGPT on Xiaomi speakers. However, the inclusion of a browser cookie 'injection' procedure and explicit code to persist serviceToken/ssecurity/passwords goes beyond typical setup guidance: it's a direct authentication bypass step that is sensitive even if it serves the deployment goal.
!
Instruction Scope
Runtime instructions tell the user/agent to collect browser cookies and Xiaomi credentials, run code that exchanges passToken/serviceToken, write those credentials into .mi.json, and patch files inside node_modules to skip login and change behavior. These are persistent, privileged operations that handle highly sensitive secrets and alter installed package code. The instructions also recommend enabling debug which will dump env vars (explicitly warns this leaks API keys). The skill does not limit or clarify how browser cookies should be collected or protected — this broad and persistent handling of secrets is a significant scope expansion from a simple deployment guide.
Install Mechanism
There is no install spec (instruction-only), which is lower-risk in terms of arbitrary downloads. The guide expects npm install of mi-gpt and mi-service-lite and manual patches to node_modules; modifying node_modules is risky (will be overwritten on updates) but not unusual for local hacks. No remote or obfuscated download URLs are used in the skill files themselves.
!
Credentials
The skill metadata declares no required env vars or credentials, yet the instructions clearly require an OpenAI-compatible API key (OPENAI_API_KEY/OPENAI_BASE_URL) and Xiaomi account credentials and browser cookies (userId, password, passport_slh, passport_ph, deviceId, passToken, ssecurity, serviceToken). Requesting and storing these highly sensitive values is disproportionate to a registry entry that declares none — metadata mismatch increases risk and surprises users about what secrets will be needed and stored.
Persistence & Privilege
The skill does not request 'always:true' and has no special platform privileges. However, instructions explicitly persist credentials into .mi.json and propose patching node_modules to change login behavior — these actions create long-lived local credentials and altered package behavior. That persistence increases risk (stale or leaked tokens, elevated access) but the skill does not ask to modify other skills or system-wide agent configuration.
What to consider before installing
This skill mostly documents how to run MiGPT on Xiaomi speakers, but it includes an explicit MIoT authentication bypass that requires collecting browser cookies, Xiaomi passwords, and writing tokens to disk plus patching node_modules. Before using: (1) Verify the source repository and maintainer — prefer an upstream/official repo; (2) do not paste browser cookies or passwords into tools or agents you don't fully trust; collect credentials manually and store them securely (use a temporary account if possible); (3) avoid enabling debug (it will log env vars including API keys); (4) understand that the provided patches persistently alter installed packages and will be overwritten by updates — prefer patch-package or postinstall scripts and keep patches under version control; (5) consider alternatives that do not require auth bypass (e.g., configure device via official app, disable native voice replies in the Xiaomi app instead of cookie injection); (6) if you must proceed, inspect every line of the cookie-exchange and file-write code yourself and only run it locally on a machine you control. Additional useful information to raise confidence: a verifiable upstream project URL, evidence that the cookie-exchange method is an accepted/official workaround (not an exploit), or a clear statement about whether the skill ever transmits credentials to external servers (currently it stores them locally).

Like a lobster shell, security has layers — review code before you run it.

latestvk974mn8zhpdm6x8k5h7xkw0cmx82e1rn
387downloads
0stars
1versions
Updated 6h ago
v1.0.0
MIT-0
@tuituijcb
latest
Download

MiGPT Xiaomi Voice Assistant Deployment

Deploy mi-gpt v4.2.0+ on a Xiaomi smart speaker to replace the built-in AI with a custom LLM assistant.

Prerequisites

  • Node.js >= 18
  • Xiaomi account with a supported smart speaker
  • An OpenAI-compatible LLM API (DashScope, DeepSeek, OpenRouter, etc.)

Quick Start

1. Initialize project

mkdir -p ~/projects/mi-gpt && cd ~/projects/mi-gpt

Create package.json:

{
  "type": "module",
  "dependencies": { "dotenv": "^17.0.0", "mi-gpt": "^4.2.0" }
}

npm install

2. Create files

app.js:

import "dotenv/config";
import config from "./.migpt.js";
import { MiGPT } from "mi-gpt";
const client = MiGPT.create(config);
await client.start();

.env:

OPENAI_MODEL=your-model
OPENAI_API_KEY=sk-xxx
OPENAI_BASE_URL=https://your-api-endpoint/v1

.migpt.js — See references/config-template.md for full template with comments.

3. Find your device's MIoT commands

Different speaker models use different MIoT siid/aiid values. Look up your model in mi-gpt issues or the MIoT spec.

Common values:

ModelttsCommandwakeUpCommandstreamResponse
X08E (Redmi 8寸)[7, 3][7, 1]false
LX04[5, 1][5, 3]true
L05C[5, 1][5, 3]true
LX06[5, 1][5, 3]true
L09A[5, 1][5, 3]true

4. Run

nohup node app.js > migpt.log 2>&1 &

Critical Issues & Fixes

Issue 1: MiNA TTS returns success but no audio (X08E and some models)

Symptom: mina.play({tts: '...'}) returns true but speaker stays silent.

Cause: Some models (notably X08E) don't support MiNA's ubus mibrain/text_to_speech. They require MIoT's doAction.

Fix: Ensure ttsCommand is set correctly. MiGPT will use MIoT doAction(siid, aiid, text) when ttsCommand is configured.

Issue 2: MIoT login triggers security verification every time

Symptom: securityStatus: 16 on every startup, even after completing SMS verification multiple times.

Root cause: mi-service-lite generates a random deviceId on every startup → Xiaomi treats each login as a new device → perpetual verification loop.

Fix: See references/miot-auth-bypass.md for the browser cookie injection method.

Issue 3: streamResponse causes hang on some models

Symptom: MiGPT says "让我想想" then freezes.

Cause: streamResponse: true polls MiNA.getStatus() for playback state. On models where MiNA doesn't control the speaker (e.g., X08E), status always returns "paused", causing the poll loop to malfunction.

Fix: Set streamResponse: false. If you also need keepAlive (continuous conversation) mode, patch enterKeepAlive() in node_modules/mi-gpt/dist/index.js to remove the streamResponse check. See references/patches.md.

Issue 4: Native 小爱 AI races with custom AI

Symptom: Both 小爱 and your custom AI respond to the same query ("split personality").

Mitigations (pick one or combine):

  1. Set onAIAsking: ["嗯"] — immediately interrupts 小爱 with a short TTS
  2. Disable voice reply in 小爱 App (device settings → 语音回复 → off)
  3. Use 全量接管模式: callAIKeywords: [""] — responds to all queries

Issue 5: Wake word misrecognition

Symptom: 小爱's ASR mishears custom keywords (e.g., "花卷卷" → "花姐姐").

Fix: Add common misrecognition variants to callAIKeywords and wakeUpKeywords.

LLM Model Selection

For voice assistants, latency > intelligence. Test your API endpoint:

time curl -s --max-time 15 YOUR_BASE_URL/chat/completions \
  -H "Authorization: Bearer YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{"model":"MODEL","messages":[{"role":"user","content":"一句话回答:今天星期几"}],"max_tokens":30}'

Target: < 3 seconds for acceptable voice experience. Total end-to-end latency ≈ LLM time + 3-4s (polling + MIoT overhead).

Reference Files

  • references/config-template.md — Full .migpt.js configuration template with all options explained
  • references/miot-auth-bypass.md — Browser cookie injection to bypass MIoT security verification
  • references/patches.md — Required code patches for mi-gpt and mi-service-lite
  • references/latency-analysis.md — End-to-end latency breakdown and optimization tips

Comments

Loading comments...