Xiaomi
ReviewAudited by ClawScan on May 10, 2026.
Overview
The Xiaomi device-control purpose is coherent, but review is needed because it asks users to obtain and store Xiaomi device tokens using a referenced helper script that is not included for review.
Review this skill before installing. The basic Xiaomi LAN-control workflow is reasonable, but do not run the referenced token extractor unless you can inspect it, and store Xiaomi device tokens securely. Require explicit confirmation before any command that changes appliance state.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may be asked to run unreviewed code that handles Xiaomi account/device token material.
The skill claims and instructs use of a bundled token extractor, but the provided manifest contains only SKILL.md and no scripts directory, so the sensitive token-handling helper is not available for review.
Built-in Token Extractor: Includes a script to easily fetch your device IPs and Tokens from Xiaomi Cloud. ... python3 scripts/token_extractor.py
Do not run the referenced token extractor unless you can inspect and verify its source; prefer a known trusted token-extraction method and confirm exactly what credentials it reads or outputs.
Anyone or any agent with these tokens may be able to control the associated Xiaomi devices on the LAN.
Xiaomi device tokens are credentials that allow local device control, but the registry declares no required credentials or environment variables and the artifact does not bound how Xiaomi Cloud authentication is performed.
fetch your device IPs and Tokens from Xiaomi Cloud
Treat device tokens like passwords, use the narrowest device set possible, avoid sharing them, and require user approval before any device state changes.
Device tokens could be exposed through local files, backups, shared repositories, or later agent prompts if those reference files are loaded.
The preceding setup step obtains device IPs and tokens, then instructs storing device details in persistent reference files, without secret-handling guidance or limits on later reuse in agent context.
Store your device details in `references/devices.md` or `references/my_private_devices.md`.
Store tokens outside shared project files when possible, restrict file permissions, avoid committing them, and redact tokens from any context sent to external services.
Mistyped or over-broad commands could turn devices on/off or change settings unexpectedly.
The skill documents raw MIOT property-setting commands that can change smart-home device state; this is aligned with the skill purpose but has real-world effects.
miiocli miotdevice --ip <IP> --token <TOKEN> raw_command set_properties ...
Confirm the target device IP/token and requested action before running state-changing commands, especially for appliances such as heaters.
Installation depends on external package repositories and may alter a local Python tool environment.
The embedded setup command installs external Python packages and modifies the pipx environment; this is relevant to the stated miiocli purpose but is not reflected as an install spec in the registry metadata.
pipx install python-miio && /Users/$(whoami)/.local/pipx/venvs/python-miio/bin/python -m pip install 'click<8.1.0'
Verify the package source, consider pinning exact versions, and run installation in an isolated environment.