小米家居 (Xiaomi Home)

[English] Control Xiaomi Home devices via local LAN using miiocli. Supports status checks, toggling power, and MIOT property manipulation for devices like smart plugs, humidifiers, and rice cookers. | [中文] 通过局域网利用 miiocli 控制米家智能设备。支持查看状态、开关控制以及对智能插座、加湿器、电饭煲等 MIOT 设备的属性调优。

Review before installing. Remove and rotate any exposed Xiaomi device tokens if they belong to you, do not publish or commit token inventories, avoid passing account passwords on the command line, keep debug logging off, and require explicit confirmation before commands that power or change appliances, cameras, routers, or other physical devices.

Type: OpenClaw Skill Name: xiaomi-home Version: 1.2.1 The skill is classified as suspicious due to its high-risk capabilities, despite lacking clear evidence of intentional malicious behavior. The `scripts/token_extractor.py` script requires the user's Xiaomi account credentials (username/password or QR code) to log into Xiaomi Cloud, then extracts sensitive device tokens and IPs. This script performs network requests to external Xiaomi cloud services (e.g., `account.xiaomi.com`, `api.io.mi.com`) and starts a local HTTP server on port 31415 for displaying CAPTCHA or QR codes. Additionally, the `SKILL.md` includes an installation command that executes shell commands (`pipx install python-miio && /Users/$(whoami)/.local/pipx/venvs/python-miio/bin/python -m pip install 'click<8.1.0'`). While these actions are aligned with the stated purpose of controlling Xiaomi devices, the handling of sensitive credentials and tokens, combined with network and shell access, represents a significant security risk if the script were compromised or misused.