← Back to Skills Marketplace
S2 Spatial Adapters
by
MilesXiang
· GitHub ↗
· v2.0.7
· MIT-0
131
Downloads
0
Stars
0
Active Installs
9
Versions
Install in OpenClaw
/install s2-spatial-adapters
Description
Provides a unified, cryptographically secure interface to control Home Assistant, Xiaomi Mijia, and Tuya IoT devices with ephemeral zero-trust connections.
Usage Guidance
This skill's code implements exactly what it says (HA REST, Xiaomi UDP, Tuya cloud). Before installing: (1) don't trust the top-level metadata that claimed 'no required env vars' — the manifest and SKILL.md require several sensitive secrets; (2) never set S2_ENABLE_REAL_ACTUATION=True unless you intentionally want the agent to be able to actuate hardware; test in dry-run first; (3) grant the minimal network access possible (eg. run in a network segment that can reach only the intended local devices and/or Tuya endpoints); (4) store credentials in a secure vault and inject them at runtime (do not place in .env); (5) review and/or run the included code in an isolated environment to confirm no hidden endpoints or telemetry are present; and (6) if you plan to let an autonomous agent use this skill, restrict that agent's permissions and logging, and require human approval for sensitive actions (locks, doors, HVAC). The metadata mismatches lower confidence in how this package was registered — treat it with caution and verify configuration before enabling real actuations.
Capability Analysis
Type: OpenClaw Skill
Name: s2-spatial-adapters
Version: 2.0.7
The S2-Spatial-Adapters bundle is a legitimate smart home integration tool for Home Assistant, Xiaomi Mijia, and Tuya IoT. It exhibits strong security practices, including SSRF protection for local network requests in s2_ha_local_adapter.py, strict domain whitelisting for cloud endpoints in main.py, and proactive credential 'wiping' in the secure_teardown methods across all adapters. No evidence of data exfiltration, malicious execution, or prompt-injection attacks was found; the code is well-structured and aligns perfectly with its stated purpose.
Capability Assessment
Purpose & Capability
Name/description claim a unified zero-trust interface for HA, Mijia, and Tuya — the code (three adapters + main.py) implements exactly those protocols and the manifest lists appropriate dependencies. HOWEVER the top-level registry metadata in the submission indicated 'Required env vars: none' while the manifest and SKILL.md clearly require multiple sensitive environment variables (S2_ENABLE_REAL_ACTUATION, HA_BEARER_TOKEN, MIJIA_DEVICE_TOKEN, TUYA_ACCESS_ID/SECRET, etc.). That metadata mismatch is an coherence issue (not an immediate safety exploit) and could mislead automated gating systems.
Instruction Scope
SKILL.md and main.py give a narrow, well-defined runtime contract: run python main.py <protocol> <element> <device_id> '<intent_json>' with environment-injected credentials; all adapters validate inputs, perform SSRF/private-IP checks, redact payloads in logs, and provide a 'dry-run' when S2_ENABLE_REAL_ACTUATION is not set. The s2_commander_agent.json instructs an agent to emit those CLI invocations (including deterministic/low-temperature generation), which is explicit rather than vague.
Install Mechanism
There is no install spec in the registry (instruction-only install), but the package includes Python code and a requirements.txt (requests, pycryptodome). This is low-to-moderate risk — nothing is downloaded from arbitrary URLs, but an installer step (pip install -r requirements.txt) is expected and dependencies are pinned. The absence of an explicit install step in registry metadata is an inconsistency to be aware of.
Credentials
The code legitimately needs device credentials and a global 'real actuation' flag, and the manifest documents these env vars as sensitive. That is proportionate to the stated purpose. The concern is twofold: (1) the registry summary incorrectly claimed 'no required env vars', creating a metadata mismatch; (2) these are high-sensitivity secrets (access tokens, device keys). Because the skill is designed to allow actual physical actuations when S2_ENABLE_REAL_ACTUATION=True, giving these secrets to the runtime (or to an autonomous agent) carries real-world risk. Confirm who controls the runtime env and where secrets are stored before enabling.
Persistence & Privilege
The skill is not set to always:true and does not attempt to modify other skills or system-wide configs. Autonomous agent invocation is allowed (disable-model-invocation=false) which is expected for tools intended for agents; combine this with real-actuation credentials and it can cause physical effects, but that is a usage risk rather than an elevated platform privilege. No evidence the skill persists credentials beyond its own lifecycle (it attempts to wipe them in secure_teardown).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install s2-spatial-adapters - After installation, invoke the skill by name or use
/s2-spatial-adapters - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.0.7
- Added README.md with documentation or usage instructions.
- Introduced new agent configuration file: s2_commander_agent.json.
- Updated manifest.json for compatibility or metadata changes.
- No changes to core functionality described in SKILL.md.
v2.0.6
- Version bump to 2.0.6; no source or documentation changes detected.
- All functionality, documentation, and usage remain unchanged from the previous version.
v2.0.5
Version 2.0.5 contains no code or documentation changes.
- No file changes detected in this release.
- All features and documentation remain as in version 2.0.2.
v2.0.4
- Version bump to 2.0.4 with no code or documentation changes.
- No modifications detected to any files.
v2.0.3
s2-spatial-adapters v2.0.3
- Removed the sample environment template file (env_template.txt) from the repository.
- No changes to documentation, usage, or code functionality.
v2.0.2
- Removed the README.md file from the project.
- Updated SKILL.md:
- Strengthened guidance to require environment variables (do not use local .env files in production).
- Clarified security best practices for credential injection and dereferencing.
- Highlighted anti-injection validation and application-level memory safety.
- Streamlined documentation for agent prompt schema and execution examples.
v2.0.1
No file or code changes; documentation updated only.
- SKILL.md improved to clarify security philosophy regarding credential handling.
- Now explicitly states that physical RAM wiping isn't possible in Python; instead, application-level best-effort dereferencing is enforced post-actuation.
- Updated description to reflect Python's memory management limitations and the use of variable reassignment to expedite credential cleanup.
- No user-facing changes to code or functionality.
v2.0.0
**S2-Spatial-Adapters 2.0.0: Major upgrade focused on security, transparency, and zero-trust architecture.**
- Switched to a production-ready, fully audited, “no placeholder” code and documentation model.
- Added `env_template.txt` and `requirements.txt` for robust environment and dependency management.
- Enforced strict JSON schema whitelisting and prompt-injection defense in the main entrypoint.
- All legacy/placeholder code (e.g., `s2_spatial_adapters.py`) removed for clarity and accuracy.
- Updated SKILL.md with detailed operational syntax and examples, ensuring zero hallucination in agent calls.
- Integrated global secure teardown: adapter memory is wiped after each execution for zero-trust compliance.
v1.0.0
S2-Spatial-Adapters 1.0.0 – Initial Release
- Introduces a unified, cryptographically secure interface for controlling Home Assistant, Xiaomi Mijia, and Tuya IoT devices.
- Leverages S2 Spatial Tensors for vendor-agnostic commands: LUMINA (lighting), CLIMATE (HVAC), and SENTINEL (security).
- Implements zero-trust, ephemeral connections that immediately wipe authentication tokens after use.
- Configuration follows cloud-native best practices—no credentials are hardcoded, with dry-run fallback for missing configs.
- Provides clear agent execution instructions with structured protocol examples.
- Includes built-in SSRF protection and liability warnings for physical actuation.
Metadata
Frequently Asked Questions
What is S2 Spatial Adapters?
Provides a unified, cryptographically secure interface to control Home Assistant, Xiaomi Mijia, and Tuya IoT devices with ephemeral zero-trust connections. It is an AI Agent Skill for Claude Code / OpenClaw, with 131 downloads so far.
How do I install S2 Spatial Adapters?
Run "/install s2-spatial-adapters" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is S2 Spatial Adapters free?
Yes, S2 Spatial Adapters is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does S2 Spatial Adapters support?
S2 Spatial Adapters is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created S2 Spatial Adapters?
It is built and maintained by MilesXiang (@spacesq); the current version is v2.0.7.
More Skills