← Back to Skills Marketplace
158
Downloads
2
Stars
1
Active Installs
6
Versions
Install in OpenClaw
/install xiaomi-miot-lan
Description
小米米家智能家居控制技能。通过小爱音箱、米家设备控制灯光、空调、扫地机器人等小米IoT设备。当用户说"开灯"、"关空调"、"让扫地机器人扫地"等智能家居控制指令时使用。
Usage Guidance
This skill appears to implement the described Xiaomi login and device-control flow and uses Feishu to present login cards — that part is coherent. However, the code contains a hard-coded Xiaomi client_secret in login_card.py that contradicts the SKILL.md guidance to pass secrets via environment variables. Before installing or using this skill:
- Do not reuse production secrets. Create and use dedicated test FEISHU and Xiaomi OAuth credentials so you can revoke them if needed.
- Ask the author to remove the hard-coded client_secret and rely solely on the XIAOMI_CLIENT_SECRET env var (or confirm why the hard-coded value is present). Hard-coded secrets may indicate sloppy engineering or a leaked/stale credential.
- Inspect (or request) the full code beyond the truncated portion to confirm there are no additional unexpected network endpoints or data exfiltration.
- Verify the token cache path (~/.openclaw/skills/xiaomi-miot/data/token_cache.json) is acceptable for your threat model and ensure filesystem permissions are strict (owner-only).
If the author cannot justify or remove the embedded client_secret, treat this as a significant red flag and avoid installing it in production environments.
Capability Analysis
Type: OpenClaw Skill
Name: xiaomi-miot-lan
Version: 1.4.0
The skill implements Xiaomi Mi Home integration but exhibits high-risk security practices. Most notably, SKILL.md instructs the AI agent to collect the user's Xiaomi password in plain text via the chat interface, exposing it to the LLM and the platform. Additionally, the skill stores sensitive authentication tokens in a local file (~/.openclaw/skills/xiaomi-miot/data/token_cache.json) and uses a hardcoded OAuth client secret in login_card.py. While these behaviors represent significant security vulnerabilities regarding credential handling, there is no clear evidence of intentional data exfiltration to unauthorized third-party domains beyond the official Xiaomi and Feishu endpoints.
Capability Assessment
Purpose & Capability
Name/description (Xiaomi Miot device control) match the code and instructions: the skill implements login, token caching, and device list retrieval via Xiaomi APIs and uses Feishu to present interactive login cards. Requesting FEISHU_APP_ID/FEISHU_APP_SECRET (to send cards) and Xiaomi OAuth client id/secret is consistent with the described flow. However, one code file (login_card.py) hard-codes a Xiaomi client_secret value rather than using the declared environment variable, which contradicts the SKILL.md statement that secrets are passed via env vars.
Instruction Scope
SKILL.md describes a login flow, token caching path (~/.openclaw/skills/xiaomi-miot/data/token_cache.json), and the need to provide FEISHU and Xiaomi credentials. The runtime instructions and the code operate within that stated scope: they request credentials, prompt for captcha when needed, call Xiaomi APIs, and use Feishu APIs to show/update cards. The skill stores tokens locally in the declared cache path. There is no instruction or code that accesses unrelated system paths or sends data to third-party endpoints other than Xiaomi and Feishu.
Install Mechanism
No install spec (instruction-only) and a small requirements.txt with 'requests' only. This is a low-risk install pattern and consistent with an instruction-only Python skill.
Credentials
Requested environment variables (XIAOMI_CLIENT_ID/SECRET and FEISHU_APP_ID/SECRET) are appropriate for the listed capabilities. However, login_card.py contains a hard-coded Xiaomi client_secret string used in OAuth token calls, contradicting the SKILL.md claim '敏感信息通过环境变量传递,不硬编码在代码中'. This discrepancy is a meaningful inconsistency: either the code will ignore the provided CLIENT_SECRET env var (leading to unexpected behavior), or the author accidentally embedded a secret. Hard-coded client secrets are a risk because they may leak or be reused incorrectly.
Persistence & Privilege
The skill does persist the OAuth token to ~/.openclaw/skills/xiaomi-miot/data/token_cache.json as described in SKILL.md; this is expected for an integration that needs reusable tokens. The skill is not marked always:true and does not request system-wide privileges or alter other skills' configs.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install xiaomi-miot-lan - After installation, invoke the skill by name or use
/xiaomi-miot-lan - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.4.0
修复 bug:多处 resp.json() 未处理 &&&START&&& 前缀导致 JSON 解析失败;优化登录流程
v1.3.0
安全修复:移除硬编码凭证,改用环境变量;修复依赖 mismatch(aiohttp→requests)
v1.2.0
修复安全问题:移除包含敏感信息的 data/config.json,Token 缓存改为运行时生成
v1.1.0
全平台兼容版:移除卡片依赖,改用纯文字交互,支持飞书/企微/钉钉/网页/终端所有平台
v1.0.1
修复认证流程:使用 OAuth2 + macaroon token,成功获取设备列表,支持路由器和小爱音箱控制
v1.0.0
小米米家智能家居控制技能,支持设备列表查询、开关控制、场景触发等
Metadata
Frequently Asked Questions
What is Xiaomi Miot?
小米米家智能家居控制技能。通过小爱音箱、米家设备控制灯光、空调、扫地机器人等小米IoT设备。当用户说"开灯"、"关空调"、"让扫地机器人扫地"等智能家居控制指令时使用。 It is an AI Agent Skill for Claude Code / OpenClaw, with 158 downloads so far.
How do I install Xiaomi Miot?
Run "/install xiaomi-miot-lan" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Xiaomi Miot free?
Yes, Xiaomi Miot is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Xiaomi Miot support?
Xiaomi Miot is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Xiaomi Miot?
It is built and maintained by woodylan (@lanlan314); the current version is v1.4.0.
More Skills