← Back to Skills Marketplace
warm-winter

xiaoai-bridge

by 冬暖夏凉 · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
797
Downloads
4
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install xiaoai-bridge
Description
小米小爱音箱语音指令桥接。截取小爱音箱的语音消息,转换为 AI 助手指令,并通过 TTS 回复。支持触发词过滤、自动去重、后台监听。适用于通过小爱音箱语音控制 OpenClaw 助手、智能家居联动、语音任务执行等场景。
Usage Guidance
This skill does roughly what it claims (connect to Xiaomi, poll voice messages, output JSON, and play TTS), but there are important red flags you should address before installing: - Do NOT use credentials included in the bundle (scripts/.mi.json). That file contains a passToken/serviceToken and device identifiers; treat it as compromised and remove it. Always use your own MI_PASS_TOKEN or a dedicated account. - The package metadata omitted required env vars — expect to provide MI_USER_ID, MI_PASS_TOKEN (recommended) or MI_PASSWORD, and MI_DEVICE_ID. Confirm these requirements with the code before running. - Inspect the @mi-gpt/miot dependency yourself (package-lock points to a Tencent mirror). If you cannot verify the registry/mirror, consider installing dependencies from the official npm registry or review the package source. - Because the listener continuously polls and prints conversation text, run the skill in an isolated environment (container or VM) to avoid accidental data leakage. Review logs carefully — the script will output user voice text and device info. - Replace any use of a real personal Xiaomi account with a dedicated/test account if possible. If you ever used the included tokens, rotate credentials immediately. - Investigate the prompt-injection warning in SKILL.md (base64 or other embedded payloads) and remove any unexpected or encoded content. If you are not comfortable auditing the dependency (@mi-gpt/miot) and removing the embedded .mi.json first, treat this skill as unsafe to install in a production environment.
Capability Analysis
Type: OpenClaw Skill Name: xiaoai-bridge Version: 1.0.0 The skill bundle is classified as suspicious due to two critical vulnerabilities. Firstly, the `scripts/.mi.json` file contains hardcoded Xiaomi account credentials (userId and passToken), which is a severe accidental credential leak of the developer's secrets. Secondly, the `SKILL.md` documentation provides example code that uses `child_process.exec` to execute `xiaoai-listen.js speak "${text}"`. If the `text` variable, originating from AI agent responses to voice commands, contains shell metacharacters, it could lead to arbitrary command execution (RCE) due to lack of input sanitization in the recommended integration pattern.
Capability Assessment
Purpose & Capability
The SKILL.md and scripts clearly require Xiaomi credentials (MI_USER_ID, MI_PASS_TOKEN or MI_PASSWORD, MI_DEVICE_ID) and use the @mi-gpt/miot library to access device messages and TTS. However, the registry metadata lists no required env vars/credentials — a clear mismatch. Including Xiaomi account tokens in scripts/.mi.json (hardcoded passToken, serviceToken, device info) is unnecessary for distribution and indicates careless handling of credentials or distribution of a pre-authenticated account.
Instruction Scope
The runtime instructions tell the agent/user to run node scripts that: log into a Xiaomi account, poll conversations, print device lists (DEBUG=true), and call TTS play functions. These operations legitimately require the Xiaomi credentials, but the skill also instructs copying .env.example (not present in manifest) and running background processes that will continuously poll and output conversation content. The SKILL.md contains a detected prompt-injection pattern (base64-block). The skill's instructions also recommend executing the listener via child_process.exec (examples), giving broad runtime control over the environment where the skill runs.
Install Mechanism
There is no formal install spec, but the SKILL.md expects 'npm install' in scripts/. The package.json and package-lock are included. The lockfile resolves dependencies via mirrors.tencentyun.com rather than the default npm registry — this may be normal for some users but is worth noting because it changes the provenance of dependencies. There are no arbitrary download URLs or archive extraction steps in the install spec.
Credentials
Functionally, requesting MI_USER_ID, MI_PASS_TOKEN/MI_PASSWORD, and MI_DEVICE_ID is proportional to the stated purpose. But the manifest declares no required env vars while the code and documentation require several secrets — an inconsistency. Worse, the bundle includes scripts/.mi.json with a full passToken, serviceToken, device IDs and other session data: shipping embedded credentials in a skill bundle is unsafe (they may be stale but are effectively leaked). Requiring MI_PASSWORD as an option is also high-risk (encourage passToken instead).
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not claim system-wide changes. It runs as a background process when started, which is expected for a listener. No privileges beyond network access and the Xiaomi credentials are requested.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install xiaoai-bridge
  3. After installation, invoke the skill by name or use /xiaoai-bridge
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of xiaoai-bridge skill. - Enables voice command integration with Xiaomi XiaoAi speakers for OpenClaw assistant and smart home scenarios. - Supports real-time voice message polling, trigger word filtering, duplicate message prevention, and background listening. - Converts XiaoAi voice input to AI assistant commands; replies via TTS on the speaker. - Provides simple configuration via environment variables and usage examples for integration and TTS playback. - Includes troubleshooting tips, best practices, and complete code samples for seamless adoption.
Metadata
Slug xiaoai-bridge
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is xiaoai-bridge?

小米小爱音箱语音指令桥接。截取小爱音箱的语音消息,转换为 AI 助手指令,并通过 TTS 回复。支持触发词过滤、自动去重、后台监听。适用于通过小爱音箱语音控制 OpenClaw 助手、智能家居联动、语音任务执行等场景。 It is an AI Agent Skill for Claude Code / OpenClaw, with 797 downloads so far.

How do I install xiaoai-bridge?

Run "/install xiaoai-bridge" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is xiaoai-bridge free?

Yes, xiaoai-bridge is completely free (open-source). You can download, install and use it at no cost.

Which platforms does xiaoai-bridge support?

xiaoai-bridge is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created xiaoai-bridge?

It is built and maintained by 冬暖夏凉 (@warm-winter); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463942 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259883 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200739 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191401 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190375 · by oswalpalash

💬 Comments