← Back to Skills Marketplace
380
Downloads
0
Stars
2
Active Installs
3
Versions
Install in OpenClaw
/install xiaoai-speaker
Description
小爱音箱语音播报。一句话让小爱说话,无需编写代码,支持定时提醒、远程喊话、家庭传话。
Usage Guidance
Before installing or running this skill: 1) Treat the MI_USER/MI_PASS credentials as sensitive — avoid storing plaintext passwords in ~/.zshrc or cron lines; prefer ephemeral environment variables or an account with limited scope. 2) Verify the upstream SDK (https://github.com/Yonsm/MiService) yourself before allowing the skill to clone/import it — review its code for unexpected network calls or exfiltration. 3) Prefer running the skill in an isolated environment (container/VM) if you must test it, so that the runtime clone can't affect your host. 4) Note the registry metadata omission: the skill actually requires MI_USER/MI_PASS though metadata lists none — treat metadata as unreliable. 5) If you accept the risk, consider modifying the code to avoid cloning into /tmp automatically and to prompt for credentials at runtime instead of persisting them. 6) The unicode-control-chars flag in SKILL.md is unusual — inspect SKILL.md for hidden characters before trusting automatic evaluation tools.
Capability Analysis
Type: OpenClaw Skill
Name: xiaoai-speaker
Version: 1.0.2
The skill handles sensitive Xiaomi account credentials (MI_USER, MI_PASS) and relies on a high-risk dependency management pattern. Specifically, scripts in the `scripts/` directory hardcode a search path to `/tmp/MiService`, a world-writable directory, which is vulnerable to local module hijacking. Furthermore, while `SKILL.md` claims the skill 'automatically installs' dependencies via `git clone` at runtime, the provided code lacks this logic, creating a discrepancy that might induce an AI agent to execute untrusted shell commands to satisfy the dependency.
Capability Assessment
Purpose & Capability
The name/description and the code align: the skill needs a Xiaomi account (MI_USER/MI_PASS) and uses a Xiaomi SDK (MiService) to call the cloud and perform TTS. However the registry Requirements section lists no required environment variables while both SKILL.md and all scripts clearly require MI_USER and MI_PASS (and optionally MI_DEVICE_NAME/MI_DEVICE_ID). That metadata omission is an important incoherence.
Instruction Scope
Instructions ask the user to set credentials (and even append them to ~/.zshrc), run cron entries that embed credentials, and clone a third‑party GitHub repo into /tmp for runtime imports. The scripts read only Xiaomi-related env vars, but the practice of persisting plaintext credentials to shell rc and executing code imported from /tmp increases risk. SKILL.md also contains detected unicode control characters (prompt-injection signal), which is suspicious and should be reviewed.
Install Mechanism
There is no formal install spec; instead the README/SKILL.md and a 'security' note instruct cloning https://github.com/Yonsm/MiService into /tmp and the Python scripts import from /tmp/MiService. That means third-party code will be downloaded at runtime and executed via imports, which is higher risk than using a vetted package. The GitHub source is plausible for the SDK, but the download-and-import behavior is not enforced/verified by the package metadata.
Credentials
Requested secrets (MI_USER, MI_PASS) are appropriate for controlling a Xiaomi cloud account. But the skill metadata did not declare these required env vars (incoherent). Also the SKILL.md recommends storing credentials in shell rc and cron commands show credentials inline, which increases exposure risk and is disproportionate to the minimum needed for transient runs.
Persistence & Privilege
The skill does not request platform-level privileges or 'always' inclusion. However instructions encourage persistent changes to the user environment (appending env vars/aliases to ~/.zshrc, adding cron jobs) and the runtime behavior depends on cloning external code into /tmp, which affects the system beyond a transient run and raises persistence concerns.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install xiaoai-speaker - After installation, invoke the skill by name or use
/xiaoai-speaker - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
xiaoai-speaker 1.0.2
- Switched configuration to environment variables (MI_USER, MI_PASS, MI_DEVICE_NAME) for improved security and usability.
- Updated documentation for faster setup and environment variable usage.
- Refined CLI usage instructions and advanced use examples.
- Clarified dependency handling; MiService SDK is now auto-installed if missing.
- Enhanced FAQ, usage tips, and security notes in the documentation.
v1.0.1
- 移除了 scripts/server.py 文件,清理了冗余脚本
- 其余功能及文档未变化
v1.0.0
xiaoai-speaker 1.0.0 初始版本发布:
- 支持通过 OpenClaw 向小爱音箱发送一句话语音播报,无需编写代码
- 提供一键配置和多设备选择,轻松用于定时提醒、家庭助手等场景
- 集成 OpenClaw cron,可设置自动化语音任务
- 支持设备列表查看和语音播报测试
- 账户信息本地存储,确保安全和隐私
Metadata
Frequently Asked Questions
What is 小爱音箱语音播报?
小爱音箱语音播报。一句话让小爱说话,无需编写代码,支持定时提醒、远程喊话、家庭传话。 It is an AI Agent Skill for Claude Code / OpenClaw, with 380 downloads so far.
How do I install 小爱音箱语音播报?
Run "/install xiaoai-speaker" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 小爱音箱语音播报 free?
Yes, 小爱音箱语音播报 is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does 小爱音箱语音播报 support?
小爱音箱语音播报 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 小爱音箱语音播报?
It is built and maintained by zkfan (@zkfan); the current version is v1.0.2.
More Skills