← 返回 Skills 市场
437
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install migpt-xiaomi-assistant
功能描述
Deploy MiGPT on a Xiaomi smart speaker to replace the built-in AI with a custom LLM-powered voice assistant. Use when: (1) setting up mi-gpt on a Xiaomi/Redm...
安全使用建议
This skill mostly documents how to run MiGPT on Xiaomi speakers, but it includes an explicit MIoT authentication bypass that requires collecting browser cookies, Xiaomi passwords, and writing tokens to disk plus patching node_modules. Before using: (1) Verify the source repository and maintainer — prefer an upstream/official repo; (2) do not paste browser cookies or passwords into tools or agents you don't fully trust; collect credentials manually and store them securely (use a temporary account if possible); (3) avoid enabling debug (it will log env vars including API keys); (4) understand that the provided patches persistently alter installed packages and will be overwritten by updates — prefer patch-package or postinstall scripts and keep patches under version control; (5) consider alternatives that do not require auth bypass (e.g., configure device via official app, disable native voice replies in the Xiaomi app instead of cookie injection); (6) if you must proceed, inspect every line of the cookie-exchange and file-write code yourself and only run it locally on a machine you control. Additional useful information to raise confidence: a verifiable upstream project URL, evidence that the cookie-exchange method is an accepted/official workaround (not an exploit), or a clear statement about whether the skill ever transmits credentials to external servers (currently it stores them locally).
功能分析
Type: OpenClaw Skill
Name: migpt-xiaomi-assistant
Version: 1.0.0
The skill provides instructions for deploying a custom AI assistant on Xiaomi speakers but includes high-risk procedures for bypassing security mechanisms. Specifically, 'references/miot-auth-bypass.md' describes how to manually extract and inject sensitive browser session cookies (including passport hashes and device IDs) into local configuration files to circumvent Xiaomi's security verification loops. Furthermore, 'references/patches.md' instructs the agent to modify third-party library code within 'node_modules' to skip authentication checks. While these actions are presented as workarounds for documented technical limitations of the MiGPT framework, the handling of session tokens and the modification of dependency code represent significant security risks that could be exploited if the environment is compromised.
能力评估
Purpose & Capability
Most of the files and instructions (config template, MIoT command mapping, streamResponse handling, latency guidance) are coherent with the stated goal of deploying MiGPT on Xiaomi speakers. However, the inclusion of a browser cookie 'injection' procedure and explicit code to persist serviceToken/ssecurity/passwords goes beyond typical setup guidance: it's a direct authentication bypass step that is sensitive even if it serves the deployment goal.
Instruction Scope
Runtime instructions tell the user/agent to collect browser cookies and Xiaomi credentials, run code that exchanges passToken/serviceToken, write those credentials into .mi.json, and patch files inside node_modules to skip login and change behavior. These are persistent, privileged operations that handle highly sensitive secrets and alter installed package code. The instructions also recommend enabling debug which will dump env vars (explicitly warns this leaks API keys). The skill does not limit or clarify how browser cookies should be collected or protected — this broad and persistent handling of secrets is a significant scope expansion from a simple deployment guide.
Install Mechanism
There is no install spec (instruction-only), which is lower-risk in terms of arbitrary downloads. The guide expects npm install of mi-gpt and mi-service-lite and manual patches to node_modules; modifying node_modules is risky (will be overwritten on updates) but not unusual for local hacks. No remote or obfuscated download URLs are used in the skill files themselves.
Credentials
The skill metadata declares no required env vars or credentials, yet the instructions clearly require an OpenAI-compatible API key (OPENAI_API_KEY/OPENAI_BASE_URL) and Xiaomi account credentials and browser cookies (userId, password, passport_slh, passport_ph, deviceId, passToken, ssecurity, serviceToken). Requesting and storing these highly sensitive values is disproportionate to a registry entry that declares none — metadata mismatch increases risk and surprises users about what secrets will be needed and stored.
Persistence & Privilege
The skill does not request 'always:true' and has no special platform privileges. However, instructions explicitly persist credentials into .mi.json and propose patching node_modules to change login behavior — these actions create long-lived local credentials and altered package behavior. That persistence increases risk (stale or leaked tokens, elevated access) but the skill does not ask to modify other skills or system-wide agent configuration.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install migpt-xiaomi-assistant - 安装完成后,直接呼叫该 Skill 的名称或使用
/migpt-xiaomi-assistant触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: deploy custom LLM voice assistant on Xiaomi smart speakers
元数据
常见问题
MiGPT Xiaomi Assistant 是什么?
Deploy MiGPT on a Xiaomi smart speaker to replace the built-in AI with a custom LLM-powered voice assistant. Use when: (1) setting up mi-gpt on a Xiaomi/Redm... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 437 次。
如何安装 MiGPT Xiaomi Assistant?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install migpt-xiaomi-assistant」即可一键安装,无需额外配置。
MiGPT Xiaomi Assistant 是免费的吗?
是的,MiGPT Xiaomi Assistant 完全免费(开源免费),可自由下载、安装和使用。
MiGPT Xiaomi Assistant 支持哪些平台?
MiGPT Xiaomi Assistant 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 MiGPT Xiaomi Assistant?
由 tuituijcb(@tuituijcb)开发并维护,当前版本 v1.0.0。
推荐 Skills