← Back to Skills Marketplace

Xiaomi Home Control

Name: Xiaomi Home Control
Author: canmaxfire

by canmaxfire · GitHub ↗ · v1.2.2 · MIT-0

cross-platform ⚠ suspicious

156

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install openclaw-xiaomi-home

Description

Control Xiaomi/Mijia smart home devices via Home Assistant using natural language to manage lights, AC, locks, fans, sensors, and more locally.

Usage Guidance

Things to check before installing or running this skill: - Verify credentials metadata: the registry entry shows no required env vars, but the skill needs HA_TOKEN and HA_URL in scripts/ha-mcp-server/.env. Treat HA_TOKEN as highly sensitive — do not share it and restrict file permissions (chmod 600). - Network exposure: the code enforces Bearer auth and CORS but does not bind the MCP server explicitly to 127.0.0.1. By default Node will listen on all interfaces. If you only want local access, edit scripts/ha-mcp-server/src/http-server.mjs to bind to 127.0.0.1, or use a firewall rule to block external access to the MCP port (default 3002). - Persistence: setup.sh installs a LaunchAgent to keep the MCP server running. Review the generated plist before loading it, and remove/unload it when you no longer want the service. - Docker privileges: the docker-compose/run uses --privileged and host networking for Home Assistant. This is common for HA but increases host privileges. Only run it on a trusted machine. - Validate the code and sources: if you obtained the skill from this bundle rather than an official repo, consider auditing the small server files (http-server.mjs and call-tool.mjs) yourself or sourcing the project from a maintained upstream repository. Confirm package.json and package-lock integrity before running npm install. If you want a conservative safe setup: do not run setup.sh unmodified. Instead (a) manually create the .env with HA_URL and HA_TOKEN, (b) run the MCP server bound to 127.0.0.1, (c) use firewall rules to block remote access to the MCP port, and (d) only enable the LaunchAgent after inspecting the plist.

Capability Analysis

Type: OpenClaw Skill Name: openclaw-xiaomi-home Version: 1.2.2 The skill bundle provides a legitimate Model Context Protocol (MCP) server for controlling Xiaomi smart home devices via a local Home Assistant instance. The implementation in `scripts/ha-mcp-server/src/http-server.mjs` includes appropriate security measures for a local service, such as Bearer token authentication, CORS restrictions to localhost, and origin validation to prevent cross-site attacks. Sensitive credentials (HA_TOKEN) are handled locally via a `.env` file and are only transmitted to the user's local Home Assistant API (defaulting to localhost:8123). The setup script (`scripts/setup.sh`) automates the deployment of Home Assistant via Docker and configures a macOS LaunchAgent for persistence, which is consistent with the stated purpose of maintaining a background control server.

Capability Tags

requires-oauth-tokenrequires-sensitive-credentials

Capability Assessment

ℹ Purpose & Capability

The skill's stated purpose (control Xiaomi devices via Home Assistant) matches the code and docs: the MCP server calls Home Assistant APIs and exposes tools for lights, climate, locks, sensors, etc. However the registry metadata claims no required env vars/credentials whereas SKILL.md, README, setup.sh and server code require and use a Home Assistant long-lived token (HA_TOKEN) and HA_URL — this metadata omission is an inconsistency.

⚠ Instruction Scope

SKILL.md and README describe a local-only design. The code enforces Bearer auth and restricts CORS to http://localhost, but the server does not explicitly bind to 127.0.0.1; it listens on the configured port on all interfaces by default. Origin/CORS restrictions only affect browsers; non-browser clients (or remote hosts that can reach the port) could attempt requests. The setup script also creates a LaunchAgent that will run the MCP server persistently. The documentation's claim 'MCP server only accepts requests from localhost' is therefore inaccurate/insufficient.

ℹ Install Mechanism

This is mostly instruction-only with included helper scripts; there is no opaque remote install URL. Installation runs docker compose (pulling Home Assistant from ghcr.io) and npm install in the ha-mcp-server folder (package.json only depends on dotenv, but package-lock contains many entries). The setup script runs docker (including a fallback docker run with --privileged and host networking) and installs a LaunchAgent. These are expected for a local Home Assistant integration but grant the container broad host privileges and persistent behavior — standard for HA but worth noting.

⚠ Credentials

The skill requires a Home Assistant Long-Lived Access Token (HA_TOKEN) and HA_URL in an .env file for the MCP server to authenticate to Home Assistant. Requesting HA_TOKEN is appropriate for controlling Home Assistant, but the registry metadata did not declare any required env vars/primary credential (mismatch). The code reads .env from the skill directory and will include HA_TOKEN in Authorization headers to the local HA instance; ensure .env is protected (file permissions) because this token grants control over devices and automations.

⚠ Persistence & Privilege

The provided setup.sh installs a LaunchAgent under ~/Library/LaunchAgents to run the MCP server persistently and starts Home Assistant containers. Persistent LaunchAgents and a privileged Home Assistant container increase attack surface and permanence of the skill on the system. always:false (no forced inclusion), but the skill does persist itself as a per-user service if the user runs setup.sh.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install openclaw-xiaomi-home
After installation, invoke the skill by name or use /openclaw-xiaomi-home
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.2.2

Fix entity ID documentation - entity IDs are device-specific, added finding guide

v1.2.1

Added XiaoAI TTS voice announcement via xiaoai_announce tool

v1.2.0

Fix: bearer token auth on MCP server, CORS restricted to localhost, declare HA_TOKEN credential

v1.1.3

Trigger re-scan: clarify HA_TOKEN stays local only

v1.1.2

Add security section: clarify HA_TOKEN stays local, no LLM, no exfiltration

v1.1.1

Rewrite tagline: your OpenClaw controls your smart home via Home Assistant

v1.1.0

Rewrite: plain language descriptions, user benefit focus instead of technical jargon

v1.0.2

Professional docs rewrite — English only, security transparency, deduplicate content

Metadata

Slug openclaw-xiaomi-home

Version 1.2.2

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 8

Frequently Asked Questions

What is Xiaomi Home Control?

Control Xiaomi/Mijia smart home devices via Home Assistant using natural language to manage lights, AC, locks, fans, sensors, and more locally. It is an AI Agent Skill for Claude Code / OpenClaw, with 156 downloads so far.

How do I install Xiaomi Home Control?

Run "/install openclaw-xiaomi-home" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Xiaomi Home Control free?

Yes, Xiaomi Home Control is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Xiaomi Home Control support?

Xiaomi Home Control is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Xiaomi Home Control?

It is built and maintained by canmaxfire (@canmaxfire); the current version is v1.2.2.

More Skills