Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Xiaomi
v1.0.0[English] Control Xiaomi Home devices via local LAN using miiocli. Supports status checks, toggling power, and MIOT property manipulation for devices like smart plugs, humidifiers, and rice cookers. | [中文] 通过局域网利用 miiocli 控制米家智能设备。支持查看状态、开关控制以及对智能插座、加湿器、电饭煲等 MIOT 设备的属性调优。
⭐ 0· 1.3k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The README claims a "built-in Token Extractor" script (scripts/token_extractor.py), pre-configured workflows, and an automatic dependency fix. The published bundle contains no code files—only SKILL.md—so the claimed scripts/resources are missing. The skill does correctly declare it requires the miiocli binary, which matches the stated purpose, but the advertised bundled tooling is absent.
Instruction Scope
Instructions tell the user/agent to run a token extractor to fetch device IPs and 32‑byte device tokens from Xiaomi Cloud, and to store device details in local reference files. The SKILL.md does not explain how Xiaomi account credentials are provided, and the extractor script it references is not present—so the runtime instructions cannot be followed as written and implicitly require credentials or browser cookies that are not declared.
Install Mechanism
The SKILL.md metadata suggests installing python-miio via pipx and then forcing a click<8.1.0 install inside the pipx venv. Installing python-miio from PyPI via pipx is a reasonable approach, not high risk, but the install command hardcodes a user-specific path (/Users/$(whoami)/.local/pipx/venvs/...), which is platform-specific and brittle. There is no arbitrary URL download or archive extraction.
Credentials
The skill declares no required environment variables or credentials, yet its instructions refer to extracting tokens from Xiaomi Cloud (which normally requires Xiaomi account credentials, cookies, or other secrets). The absence of any declared credential requirements is a mismatch and leaves unclear how sensitive credentials would be supplied or handled.
Persistence & Privilege
The skill does not request always:true or any persistent privileged configuration. It is user-invocable and allows autonomous invocation (default), which is normal; there is no evidence it modifies other skills or system-wide settings.
What to consider before installing
This skill appears to describe useful local control via miiocli, but the package is instruction-only: it references a token_extractor script and other files that are not included. Before installing or running anything: 1) Ask the publisher for the missing scripts or source code and inspect them (token-extraction code can handle sensitive credentials). 2) If you must fetch device tokens, do so manually or with trusted tools — do not hand over Xiaomi account credentials to unknown scripts. 3) If you run the provided pipx install, be aware the command assumes a specific pipx venv path and will modify your Python environment; prefer installing python-miio yourself and verify the click version change. 4) Only proceed if you trust the skill source and have verified the token extraction method and storage location for your device tokens.Like a lobster shell, security has layers — review code before you run it.
latestvk976g2m61fjya6nkdmaqtqx2n580k16d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🏠 Clawdis
Binsmiiocli