xiaoai-bridge
WarnAudited by ClawScan on May 10, 2026.
Overview
The voice bridge is mostly purpose-aligned, but it ships real-looking Xiaomi session credentials and includes unsafe shell-command examples that need review before use.
Do not install this package until the bundled scripts/.mi.json credential cache is removed and the exposed Xiaomi tokens are rotated. If you proceed after cleanup, configure only your own Xiaomi credentials, keep a non-empty trigger phrase, secure logs, and replace the documented exec-based examples with spawn/execFile argument arrays.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone receiving the skill package may see or try to use someone else’s Xiaomi account/session data, and the skill’s own credential requirements are not clearly declared in metadata.
This file contains real-looking Xiaomi passToken/serviceToken values plus device identifiers, not placeholders. That exposes account/device access material and contradicts the expected user-supplied credential model.
"userId":"2277466353","passToken":"V1:...","serviceToken":"6a/ouu75...","device":{"name":"小米AI音箱"..."mac":"50:A0:09:E8:E6:F9"}Remove scripts/.mi.json from the package, revoke/rotate the exposed Xiaomi tokens, add credential cache files to .gitignore, and declare MI_USER_ID, MI_PASS_TOKEN or MI_PASSWORD, and MI_DEVICE_ID as required configuration.
A crafted voice command or generated response could cause unintended local shell commands to run if users follow the example exactly.
The documentation places dynamic assistant response text into a shell command. If that text contains quotes or shell metacharacters, copying this pattern can allow command injection.
await exec(`node skills/xiaoai-bridge/scripts/xiaoai-listen.js speak "${response}"`);Use child_process.spawn or execFile with argument arrays and shell:false, or call a safe internal API instead of building shell commands with interpolated text.
Spoken commands may appear in OpenClaw context or logs, especially when running with output redirected to xiaoai.log.
The listener retrieves Xiaomi voice conversation records and outputs both filtered text and the original spoken text for downstream processing.
const conversations = await mina.getConversations({ limit: 10, timestamp: lastTimestamp }); ... originalText: msg.originalTextUse a non-empty trigger prefix, protect or rotate logs, avoid speaking sensitive information near the device, and document how long any logs or forwarded messages are retained.
The bridge may keep listening in the background longer than expected if the user forgets it is running.
The skill explicitly supports a long-running background listener. This is disclosed and purpose-aligned, but it means the bridge continues polling and processing voice messages until stopped.
node scripts/xiaoai-listen.js > xiaoai.log 2>&1 &
Run it under a visible process manager, document stop/restart commands, and only enable it when continuous voice control is intended.
Dependency installation relies on external package sources, and users must trust the pinned packages and mirror configuration.
The package lock pins the dependency with an integrity hash, but it resolves from an HTTP mirror rather than HTTPS. The dependency is purpose-aligned, but provenance should be verified.
"resolved": "http://mirrors.tencentyun.com/npm/@mi-gpt/miot/-/miot-1.2.2.tgz", "integrity": "sha512-HM4j..."
Prefer HTTPS registry URLs, keep the lockfile, verify dependency provenance, and avoid installing if the lockfile changes unexpectedly.