ClawHub

Xiaomi

v1.0.0

[English] Control Xiaomi Home devices via local LAN using miiocli. Supports status checks, toggling power, and MIOT property manipulation for devices like smart plugs, humidifiers, and rice cookers. | [中文] 通过局域网利用 miiocli 控制米家智能设备。支持查看状态、开关控制以及对智能插座、加湿器、电饭煲等 MIOT 设备的属性调优。

0· 1.3k·1 current·2 all-time
by@yiqiezhenxi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The declared purpose (local LAN control of Xiaomi devices using miiocli) matches the required binary (miiocli) and example commands. However the SKILL.md repeatedly claims a 'bundled' token_extractor script and other support files (scripts/token_extractor.py, references/devices.md) that are not present in the skill bundle, which is inconsistent.
!
Instruction Scope
Instructions tell the agent to run a token-extraction script that syncs device IPs and 32‑byte tokens from Xiaomi Cloud and to store tokens locally; but that script is not included. The instructions implicitly require access to Xiaomi account credentials and direct users to store sensitive tokens in plaintext files (references/*), which expands scope beyond simple LAN control and risks leaking secrets.
Install Mechanism
There is an install step in the metadata that runs 'pipx install python-miio' and then runs pip against a hard-coded pipx venv path (/Users/$(whoami)/.local/pipx/venvs/python-miio/bin/python -m pip install ...). Installing from PyPI is expected for python-miio, but the command is macOS/Unix user-path specific, brittle, and will modify the user's pipx environment. No archive downloads from unknown hosts were used.
!
Credentials
The skill declares no required environment variables, yet it instructs obtaining tokens from Xiaomi Cloud and storing them in local files. That implies needing Xiaomi account credentials and secrets (tokens) but the skill does not declare or document how credentials are handled or protected. Storing tokens in repo files is a sensitive practice not justified in the description.
Persistence & Privilege
always:false and normal autonomous invocation are fine. The install step will create/modify a user-level pipx venv for python-miio (persistent in the user environment). The skill does not request system-wide changes or modify other skills, but the install is persistent in the user's home.
What to consider before installing
This skill claims to include helper scripts (a token extractor) and example files but those files are not in the package — that's a strong inconsistency. Before installing or running anything: 1) Do not run any token-extraction commands or paste your Xiaomi account credentials unless you can inspect the actual script code locally. 2) If you want python-miio, install it yourself (follow official project instructions) rather than running the provided one-line that hardcodes a pipx venv path. 3) Avoid storing device tokens or account credentials in plaintext files inside a project/repo; use a secure secret store. 4) Ask the publisher to provide the missing scripts and a reproducible, cross-platform install recipe (and to explain how tokens are obtained and protected). If the publisher cannot produce the missing files and transparent instructions, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bch91943xnx0sw5gtgzxb7580kr95

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏠 Clawdis
Binsmiiocli

Comments