Xiaomi
PassAudited by ClawScan on May 10, 2026.
Overview
The skill matches its stated Xiaomi home-control purpose, but it uses device tokens and commands that can change real appliance states, so users should verify targets and protect credentials.
Before installing, make sure you trust the miiocli/python-miio setup source, review any token extraction script before running it, store device tokens privately, and use the skill only for devices where accidental on/off or property changes would be safe.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A wrong command, IP, token, or property ID could turn on or reconfigure a real device unexpectedly.
The skill documents raw miiocli commands that can change Xiaomi device properties, including turning a smart plug on or off. This is central to the skill purpose, but mistakes can affect real appliances.
`miiocli miotdevice --ip <IP> --token <TOKEN> raw_command set_properties '[{"siid": 2, "piid": 1, "value": true}]'`Use only with devices you intend to control, verify IP/token mappings, and avoid unattended use for safety-critical appliances.
Anyone who obtains the tokens may be able to control the associated Xiaomi devices on the network.
Device tokens grant control authority over Xiaomi devices. Fetching them from Xiaomi Cloud is expected for this integration, but the credential handling is sensitive and not declared as a primary credential in the registry metadata.
**Built-in Token Extractor**: Includes a script to easily fetch your device IPs and Tokens from Xiaomi Cloud.
Only run token extraction tools from trusted sources, keep tokens private, and rotate or refresh device tokens if they are exposed.
Sensitive device-control information could remain in local reference files and be exposed if those files are shared, synced, or included in future agent context.
The skill asks users to persist device details, which likely include IP addresses and tokens, in reference files that may be reused by the agent in later tasks.
Store your device details in `references/devices.md` or `references/my_private_devices.md`.
Store tokens only in private, access-controlled files and avoid committing or sharing the references directory.
Setup depends on external package contents and a referenced helper script that was not included in the supplied artifact set.
The skill documents an executable package install and dependency workaround. This is purpose-aligned for miiocli use, but the package is not pinned to a specific python-miio version, and the provided manifest contains no helper script for review.
`pipx install python-miio && /Users/$(whoami)/.local/pipx/venvs/python-miio/bin/python -m pip install 'click<8.1.0'`
Install python-miio from trusted package sources, review any token extraction script before running it, and prefer pinned dependency versions where possible.