功能描述

Route Aqara Open API requests across device, space, and automation skills with a relationship-first router, shared CLI contract, and structured handoff contr...

使用说明 (SKILL.md)

\r \r

Aqara Open API Skill\r

Name: Aqara OpenAPI Local
Author: aqara

\r This file is the single entry router for the Aqara Open Platform HTTP API skill package.\r \r Read this file first. Use it to do four things:\r \r

Classify whether the user request lands in device, space, or automation.\r
Preserve the shared request envelope, credential rules, and non-guessing rules.\r
Build a structured handoff contract instead of forwarding raw user prose.\r
Decide whether the next step may use cache-first execution or must upgrade to stricter validation.\r \r Child skills:\r \r

aqara-open-api-local/device/SKILL.md\r
aqara-open-api-local/space/SKILL.md\r
aqara-open-api-local/automation/SKILL.md\r \r

Quick Route Table\r

\r Use this table before reading any child skill in depth.\r \r | User asks for | Final intent | Next file |\r |---|---|---|\r | list devices, count devices, read state, control a device | device | aqara-open-api-local/device/SKILL.md |\r | list spaces, create or rename spaces, move devices between spaces | space | aqara-open-api-local/space/SKILL.md |\r | create automation, inspect automation, update automation config, enable or disable automation, delete automation | automation | aqara-open-api-local/automation/SKILL.md |\r | room-scoped device query such as "what lights are in the living room" | device | confirm room identity, then query devices from data/devices.json |\r | room-related automation such as "turn on the light when someone is in the living room" | automation | resolve room and device evidence first, then enter automation |\r \r

Language Policy\r

\r

user-facing explanations, routing notes, and clarification questions should use Chinese Simplified\r
Open API request types, field names, file paths, enums, and code examples must keep exact English identifiers\r
do not mix Chinese and English in one rule sentence unless an exact identifier must be quoted\r \r

Package Model\r

\r Treat the three business entities as related, not isolated:\r \r

space is the container and grouping scope for devices\r
device is the concrete instance that can be queried, counted, and controlled\r
automation is the orchestration layer that references rooms, devices, and device traits\r \r Route by the final action target, not by keyword count alone.\r \r Important relationship rule:\r \r
for room-scoped device queries, space is the filter key and device is the answer source\r
GetSpacesRequest confirms that a room exists or resolves spaceId; it does not answer which devices are inside the room\r
the actual room-to-device result must come from data/devices.json by filtering devices whose room membership matches the resolved room\r \r Examples:\r \r
"what devices are in the living room" -> final intent is device\r
"move all lights from the master bedroom to the second bedroom" -> final intent is space\r
"create an automation that turns on the light when someone is in the living room" -> final intent is automation\r \r

Shared Runtime Contract\r

\r Runtime configuration may come from:\r \r

AQARA_ENDPOINT_URL\r
AQARA_OPEN_API_TOKEN\r
aqara config\r \r Credential resolution order:\r \r

Use the current shell environment if AQARA_ENDPOINT_URL and AQARA_OPEN_API_TOKEN are already set.\r
Otherwise read the AQARA CLI config file from ~/.aqa/config.json.\r
Use aqara config set-endpoint \x3Curl> and aqara config set-token \x3Ctoken> when the values are not already configured.\r \r Hard credential rules:\r \r

never guess or hardcode real credentials\r
never print the real token in chat, logs, or generated files\r
never write secrets into persistent shell startup files\r
if the config file is missing or unreadable, stop and report the configuration problem without dumping file contents\r \r

Shared API Contract\r

\r Global execution rules:\r \r

All execution should go through the aqara CLI instead of handwritten curl.\r
aqara devices cache refresh is the only allowed route for GetAllDevicesWithSpaceRequest.\r
Every other documented API request should use the matching aqara command group.\r
The underlying request body may contain only type, version, msgId, and data.\r
version must always be "v1".\r
type is whitelist-only. Never guess nearby request names.\r
Never guess deviceId, endpointId, functionCode, traitCode, spaceId, or automationId.\r
Command examples assume the current working directory is the aqara-open-api-local package root or that aqara is installed globally.\r
For queries such as "what devices are in the living room", never answer from GetSpacesRequest alone. Resolve the room first, then filter data/devices.json to produce the device list.\r \r Shared request envelope:\r \r

{\r
  "type": "\x3CRequestType>",\r
  "version": "v1",\r
  "msgId": "\x3Cunique-id>",\r
  "data": {}\r
}\r
```\r
\r
CLI execution note:\r
\r
- `aqara` encapsulates the request envelope and headers\r
- do not hand-build headers in normal skill execution\r
\r
Request type whitelist:\r
\r
- `GetAllDevicesWithSpaceRequest`\r
- `GetDeviceTypeInfosRequest`\r
- `ExecuteTraitRequest`\r
- `GetSpacesRequest`\r
- `CreateSpaceRequest`\r
- `UpdateSpaceRequest`\r
- `AssociateDevicesToSpaceRequest`\r
- `QueryAutomationCapabilitiesRequest`\r
- `CreateAutomationRequest`\r
- `UpdateAutomationRequest`\r
- `UpdateAutomationStatusRequest`\r
- `GetAutomationListRequest`\r
- `GetAutomationDetailsRequest`\r
- `DeleteAutomationRequest`\r
\r
## Capability Validation Strategy\r
\r
This package uses two validation modes for automation work:\r
\r
- `cache_first_generate`: default path for creation. Use resolved room and device context plus `data/devices.json` to build an automation-instance style `config`.\r
- `query_capabilities_required`: stricter path for risky or ambiguous automation work. Upgrade to `QueryAutomationCapabilitiesRequest` before finalizing the config.\r
\r
Upgrade from `cache_first_generate` to `query_capabilities_required` when any of the following is true:\r
\r
- the needed starter, condition, or action trait cannot be copied safely from `data/devices.json`\r
- the request depends on uncertain enum or event values\r
- the request is cross-space and the source or target mapping is still ambiguous\r
- the action is high risk, unusual, or not covered by the package's safe defaults\r
- the user explicitly asks for capability confirmation\r
\r
Important rule:\r
\r
- `data/devices.json` is the default creation evidence source\r
- `QueryAutomationCapabilitiesRequest` is the escalation path, not the default first step\r
\r
## Handoff Contract\r
\r
Before entering a child skill, build this structured handoff contract in reasoning. These are semantic routing fields only, not new Open API request fields.\r
\r
### Required handoff fields\r
\r
```json\r
{\r
  "finalIntentType": "device | space | automation",\r
  "resolvedSpace": {\r
    "name": "\x3CspaceName or null>",\r
    "spaceId": "\x3CspaceId or null>",\r
    "resolutionSource": "route | get_spaces | device_cache | unresolved"\r
  },\r
  "resolvedDevices": [\r
    {\r
      "deviceId": "\x3CdeviceId>",\r
      "deviceName": "\x3Cdisplay name>",\r
      "spaceName": "\x3Cspace name or null>",\r
      "spaceId": "\x3CspaceId or null>",\r
      "matchReason": "exact_name | room_plus_name | type_match | parent_context"\r
    }\r
  ],\r
  "resolvedAutomation": {\r
    "automationId": "\x3CautomationId or null>"\r
  },\r
  "ambiguityState": {\r
    "status": "none | room | device | automation | event_enum",\r
    "questionNeeded": true\r
  },\r
  "operationContext": {\r
    "operation": "query | control | create | update | rename | status | delete",\r
    "cacheFreshness": "fresh | stale | unknown",\r
    "detailsLoaded": false\r
  },\r
  "capabilityValidationMode": "cache_first_generate | query_capabilities_required",\r
  "branchingIntent": {\r
    "needsSplit": false,\r
    "reason": "\x3Coptional reason>"\r
  }\r
}\r
```\r
\r
### Handoff rules\r
\r
- do not hand off the raw user sentence alone\r
- if room scope is already resolved, pass it as `resolvedSpace` instead of forcing the child skill to rediscover it\r
- if several candidate devices remain, preserve them in `resolvedDevices` and ask for clarification before mutation\r
- if the request is an automation update, pass whether current automation details have already been loaded\r
- if a preceding space mutation may have changed room membership, mark `cacheFreshness` as `stale`\r
\r
## Router SOP\r
\r
Follow this order. Do not skip steps.\r
\r
1. Parse which entities are mentioned: `space`, `device`, `automation`.\r
2. Classify the final action target.\r
3. Resolve the anchor entity first: room-first, device-first, or automation-first.\r
4. If the task is a room-scoped device query, use `GetSpacesRequest` only to confirm the room identity when needed, then use `data/devices.json` to reverse lookup the devices in that room.\r
5. Build the handoff contract.\r
6. If ambiguity remains, ask before entering a mutating child workflow.\r
7. Enter the child skill whose domain matches `finalIntentType`.\r
\r
## Shared Recovery And Reliability Rules\r
\r
Response code reminders:\r
\r
- `code: 0` means success\r
- `400` usually means invalid request data\r
- `1001` usually means token expired or invalid\r
- `2030` usually means device not found\r
\r
Recovery rules:\r
\r
- device not found during device or space work: refresh `data/devices.json` once, then re-resolve the device\r
- invalid space update: re-check `spaceId`, mutation scope, and device membership\r
- invalid automation request: move to the automation child skill, re-check schema shape, and upgrade validation mode if needed\r
- network timeout: retry once, then report the failure\r
- space mutation before automation generation: refresh `data/devices.json` or mark `cacheFreshness: "stale"` and stop before create\r
\r
Platform note:\r
\r
- the package uses `aqara devices cache refresh` for the full device cache\r
- if Node.js or the CLI entry cannot run in the current runtime, stop and explain that the CLI path is unavailable instead of inventing ad hoc shell replacements\r
\r
## Forbidden Behavior\r
\r
Never do any of the following:\r
\r
- call Aqara APIs directly with `curl` when an `aqara` command exists\r
- guess request types or identifiers\r
- use stale prose memory or trait glossaries as authority for live state\r
- use `data/devices.json` as if it were an unconditional automation capability whitelist\r
- place automation `name`, `starters`, `condition`, or `actions` directly under top-level `data`\r
- describe impossible state such as "light is off and brightness is 100%"\r
\r
## Reference Index\r
\r
- `aqara-open-api-local/device/SKILL.md` — device cache-first query and control\r
- `aqara-open-api-local/space/SKILL.md` — space listing and mutation\r
- `aqara-open-api-local/automation/SKILL.md` — automation creation and CRUD\r
- `aqara-open-api-local/docs/commands.md` — CLI command catalog\r
- `aqara-open-api-local/data/devices.json` — device cache\r
- `aqara-open-api-local/references/examples.md` — intent-based example index\r
- `aqara-open-api-local/references/automation-http-examples.md` — automation HTTP lifecycle examples

安全使用建议

This package appears to do what it says: it's a Node-based local CLI/router for the Aqara Open API and legitimately needs your Aqara endpoint and bearer token. Before installing or running it, consider: 1) The skill will look for credentials first in your environment variables and then in the AQARA CLI config file (~/.aqa/config.json). If you do not want the skill to read or modify that file, provide AQARA_ENDPOINT_URL and AQARA_OPEN_API_TOKEN in the environment instead. 2) The CLI writes a device cache to data/devices.json in the package directory — that will contain device IDs and metadata from your account. 3) There is no remote installer; the package contains Node source that will run locally. If you don't fully trust the source, review bin/aqara-open-api.js and lib/http.js to inspect network calls and ensure no unexpected endpoints or telemetry exist, or run the CLI in an isolated environment (container or VM). 4) The SKILL.md explicitly warns not to print tokens, but you should still avoid pasting real credentials into untrusted consoles. If you want the evaluator to take a closer look, provide the contents of bin/aqara-open-api.js and lib/http.js and I can call out any unexpected network endpoints or exec calls.

功能分析

Type: OpenClaw Skill Name: aqara-open-api-local Version: 1.0.3 The Aqara Open API skill bundle is a well-structured and legitimate tool for managing IoT devices, spaces, and automations. It follows security best practices by implementing explicit 'Hard credential rules' in SKILL.md to prevent the AI agent from leaking tokens, masking sensitive values in CLI output (lib/config.js), and using a schema-validated workflow for automation generation (lib/automation.js). The code relies on standard Node.js built-ins without external dependencies, and there is no evidence of data exfiltration, unauthorized remote execution, or malicious prompt injection.

能力标签

cryptocan-make-purchasesrequires-oauth-tokenrequires-sensitive-credentials

能力评估

✓ Purpose & Capability

Name, description, and code files implement an Aqara Open API CLI/router. Required binary (node) and the two environment variables (AQARA_ENDPOINT_URL, AQARA_OPEN_API_TOKEN) directly correspond to the declared purpose of calling the Aqara Open API. Binaries, files, and features (device cache, spaces, automations) are coherent with the stated functionality.

ℹ Instruction Scope

SKILL.md stays within the domain of Aqara API operations: routing intents, using a cache (data/devices.json), invoking the local 'aqara' CLI entrypoint, and performing specific whitelisted request types. It explicitly forbids printing tokens and writing secrets to shell startup files. One mismatch: the runtime instructions say the CLI will fallback to reading the AQARA CLI config at ~/.aqa/config.json if env vars are missing, but the skill metadata declared no required config paths — that file access is sensitive and should be noted.

✓ Install Mechanism

No remote install/download steps are declared. The package includes Node.js source and a bin entry (bin/aqara-open-api.js); execution requires only 'node'. There are no external URLs or archive extracts in the install spec. This is a low-risk install mechanism in the sense that nothing is fetched from arbitrary remote hosts by the installer.

ℹ Credentials

The two required environment variables are proportional and expected for an API client: AQARA_ENDPOINT_URL and AQARA_OPEN_API_TOKEN. The SKILL.md also documents a fallback to the AQARA CLI config file (~/.aqa/config.json) for credentials; that config file was not listed in the skill's declared required config paths. Reading that file is reasonable for a CLI but is a sensitive operation that should be explicitly declared to users.

✓ Persistence & Privilege

The skill is not always-enabled and does not request elevated platform privileges. It does write a local cache file (data/devices.json) as part of normal operation and may instruct users to run 'aqara config set-token' which writes to the AQARA CLI config (~/.aqa/config.json). Those are expected for a CLI that stores tokens and caches devices, but they do modify user files outside the package root and should be considered when granting the skill access.

版本历史

v1.0.3

- No file changes detected in this release. - Version bump to 1.0.3 for administrative or metadata update purposes.

v1.0.2

Initial release of aqara-open-api-local. - Routes Aqara Open API requests with a relationship-first router for device, space, and automation skills. - Enforces shared CLI contract using environment variables (AQARA_OPEN_API_TOKEN, AQARA_ENDPOINT_URL) or AQARA CLI config. - Provides a clear structured handoff contract for all routed requests. - Quick route table and examples clarify how user queries map to device, space, or automation intents. - Strict credential and API usage policies, with no guessing or hardcoding of sensitive information. - Outlines validation strategies and escalation rules for automation creation and capability checks.

v1.0.1

Initial release of aqara-open-api-local. - Provides a unified entry point for routing Aqara Open API requests by device, space, and automation intent. - Implements a relationship-first router with a structured handoff contract. - Enforces strict credential and API request handling policies. - Integrates with the command-line via the aqara CLI, not direct API calls. - Formalizes support for cache-based and capability-query automation validation strategies.

v1.0.0

Aqara Open API Skill 1.0.0 – Initial release. - Provides a primary router for classifying user requests as device, space, or automation actions. - Establishes a structured handoff contract for routing requests to child skills. - Implements strict credential and API usage rules, supporting environment variables and AQARA CLI config. - Outlines shared request envelopes, whitelist for supported request types, and validation strategies. - Includes detailed routing and runtime contracts to ensure safe, relationship-first API operations.

元数据

Slug aqara-open-api-local

版本 1.0.3

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 4

常见问题

Aqara OpenAPI Local 是什么？

Route Aqara Open API requests across device, space, and automation skills with a relationship-first router, shared CLI contract, and structured handoff contr... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 83 次。

如何安装 Aqara OpenAPI Local？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install aqara-open-api-local」即可一键安装，无需额外配置。

Aqara OpenAPI Local 是免费的吗？

是的，Aqara OpenAPI Local 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Aqara OpenAPI Local 支持哪些平台？

Aqara OpenAPI Local 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Aqara OpenAPI Local？

由 AIOT Open Cloud（@aqara）开发并维护，当前版本 v1.0.3。

Aqara OpenAPI Local