ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

xiaoai-bridge

v1.0.0

小米小爱音箱语音指令桥接。截取小爱音箱的语音消息,转换为 AI 助手指令,并通过 TTS 回复。支持触发词过滤、自动去重、后台监听。适用于通过小爱音箱语音控制 OpenClaw 助手、智能家居联动、语音任务执行等场景。

4· 715·0 current·0 all-time
by冬暖夏凉@warm-winter
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md and scripts clearly require Xiaomi credentials (MI_USER_ID, MI_PASS_TOKEN or MI_PASSWORD, MI_DEVICE_ID) and use the @mi-gpt/miot library to access device messages and TTS. However, the registry metadata lists no required env vars/credentials — a clear mismatch. Including Xiaomi account tokens in scripts/.mi.json (hardcoded passToken, serviceToken, device info) is unnecessary for distribution and indicates careless handling of credentials or distribution of a pre-authenticated account.
!
Instruction Scope
The runtime instructions tell the agent/user to run node scripts that: log into a Xiaomi account, poll conversations, print device lists (DEBUG=true), and call TTS play functions. These operations legitimately require the Xiaomi credentials, but the skill also instructs copying .env.example (not present in manifest) and running background processes that will continuously poll and output conversation content. The SKILL.md contains a detected prompt-injection pattern (base64-block). The skill's instructions also recommend executing the listener via child_process.exec (examples), giving broad runtime control over the environment where the skill runs.
Install Mechanism
There is no formal install spec, but the SKILL.md expects 'npm install' in scripts/. The package.json and package-lock are included. The lockfile resolves dependencies via mirrors.tencentyun.com rather than the default npm registry — this may be normal for some users but is worth noting because it changes the provenance of dependencies. There are no arbitrary download URLs or archive extraction steps in the install spec.
!
Credentials
Functionally, requesting MI_USER_ID, MI_PASS_TOKEN/MI_PASSWORD, and MI_DEVICE_ID is proportional to the stated purpose. But the manifest declares no required env vars while the code and documentation require several secrets — an inconsistency. Worse, the bundle includes scripts/.mi.json with a full passToken, serviceToken, device IDs and other session data: shipping embedded credentials in a skill bundle is unsafe (they may be stale but are effectively leaked). Requiring MI_PASSWORD as an option is also high-risk (encourage passToken instead).
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not claim system-wide changes. It runs as a background process when started, which is expected for a listener. No privileges beyond network access and the Xiaomi credentials are requested.
Scan Findings in Context
[base64-block] unexpected: A prompt-injection pattern (base64-block) was detected in the SKILL.md content. This is not expected for a device-bridge skill and could be an attempt to manipulate prompts or evaluation. Review SKILL.md for any embedded encoded payloads or malicious instructions.
What to consider before installing
This skill does roughly what it claims (connect to Xiaomi, poll voice messages, output JSON, and play TTS), but there are important red flags you should address before installing: - Do NOT use credentials included in the bundle (scripts/.mi.json). That file contains a passToken/serviceToken and device identifiers; treat it as compromised and remove it. Always use your own MI_PASS_TOKEN or a dedicated account. - The package metadata omitted required env vars — expect to provide MI_USER_ID, MI_PASS_TOKEN (recommended) or MI_PASSWORD, and MI_DEVICE_ID. Confirm these requirements with the code before running. - Inspect the @mi-gpt/miot dependency yourself (package-lock points to a Tencent mirror). If you cannot verify the registry/mirror, consider installing dependencies from the official npm registry or review the package source. - Because the listener continuously polls and prints conversation text, run the skill in an isolated environment (container or VM) to avoid accidental data leakage. Review logs carefully — the script will output user voice text and device info. - Replace any use of a real personal Xiaomi account with a dedicated/test account if possible. If you ever used the included tokens, rotate credentials immediately. - Investigate the prompt-injection warning in SKILL.md (base64 or other embedded payloads) and remove any unexpected or encoded content. If you are not comfortable auditing the dependency (@mi-gpt/miot) and removing the embedded .mi.json first, treat this skill as unsafe to install in a production environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aawbmc6w192w4vv4xyfdzsn818rdn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments