xiaomi-home-assistant-skill

The skill's code, required permissions, and instructions are consistent with a Home Assistant integration that reads local config files and queries a local Home Assistant instance; nothing indicates covert behavior or unrelated access requests.

This skill appears to do what it claims: read local config and call your Home Assistant API. Before installing, review and accept these points: (1) You must store a Home Assistant long-lived access token in a config file; keep that file private and consider using a token with minimal required scopes. (2) The SKILL.md mentions homeassistant_auth.json but the code actually reads config.json for the token — ensure you put the token where the handlers expect it. (3) Verify all configured entity IDs (they are hardcoded examples) so actions go to the correct devices. (4) Confirm you trust the source since the repository/homepage fields are empty; although the code is straightforward, an unknown source increases risk. (5) If you prefer not to persist the token on disk, consider using a runtime secret store or short-lived token mechanism. Finally, ensure your OpenClaw environment has only the necessary network access to your Home Assistant instance.