← 返回 Skills 市场

Xiaomi Home Control

Name: Xiaomi Home Control
Author: canmaxfire

作者 canmaxfire · GitHub ↗ · v1.2.2 · MIT-0

cross-platform ⚠ suspicious

156

总下载

当前安装

版本数

在 OpenClaw 中安装

/install openclaw-xiaomi-home

功能描述

Control Xiaomi/Mijia smart home devices via Home Assistant using natural language to manage lights, AC, locks, fans, sensors, and more locally.

安全使用建议

Things to check before installing or running this skill: - Verify credentials metadata: the registry entry shows no required env vars, but the skill needs HA_TOKEN and HA_URL in scripts/ha-mcp-server/.env. Treat HA_TOKEN as highly sensitive — do not share it and restrict file permissions (chmod 600). - Network exposure: the code enforces Bearer auth and CORS but does not bind the MCP server explicitly to 127.0.0.1. By default Node will listen on all interfaces. If you only want local access, edit scripts/ha-mcp-server/src/http-server.mjs to bind to 127.0.0.1, or use a firewall rule to block external access to the MCP port (default 3002). - Persistence: setup.sh installs a LaunchAgent to keep the MCP server running. Review the generated plist before loading it, and remove/unload it when you no longer want the service. - Docker privileges: the docker-compose/run uses --privileged and host networking for Home Assistant. This is common for HA but increases host privileges. Only run it on a trusted machine. - Validate the code and sources: if you obtained the skill from this bundle rather than an official repo, consider auditing the small server files (http-server.mjs and call-tool.mjs) yourself or sourcing the project from a maintained upstream repository. Confirm package.json and package-lock integrity before running npm install. If you want a conservative safe setup: do not run setup.sh unmodified. Instead (a) manually create the .env with HA_URL and HA_TOKEN, (b) run the MCP server bound to 127.0.0.1, (c) use firewall rules to block remote access to the MCP port, and (d) only enable the LaunchAgent after inspecting the plist.

功能分析

Type: OpenClaw Skill Name: openclaw-xiaomi-home Version: 1.2.2 The skill bundle provides a legitimate Model Context Protocol (MCP) server for controlling Xiaomi smart home devices via a local Home Assistant instance. The implementation in `scripts/ha-mcp-server/src/http-server.mjs` includes appropriate security measures for a local service, such as Bearer token authentication, CORS restrictions to localhost, and origin validation to prevent cross-site attacks. Sensitive credentials (HA_TOKEN) are handled locally via a `.env` file and are only transmitted to the user's local Home Assistant API (defaulting to localhost:8123). The setup script (`scripts/setup.sh`) automates the deployment of Home Assistant via Docker and configures a macOS LaunchAgent for persistence, which is consistent with the stated purpose of maintaining a background control server.

能力标签

requires-oauth-tokenrequires-sensitive-credentials

能力评估

ℹ Purpose & Capability

The skill's stated purpose (control Xiaomi devices via Home Assistant) matches the code and docs: the MCP server calls Home Assistant APIs and exposes tools for lights, climate, locks, sensors, etc. However the registry metadata claims no required env vars/credentials whereas SKILL.md, README, setup.sh and server code require and use a Home Assistant long-lived token (HA_TOKEN) and HA_URL — this metadata omission is an inconsistency.

⚠ Instruction Scope

SKILL.md and README describe a local-only design. The code enforces Bearer auth and restricts CORS to http://localhost, but the server does not explicitly bind to 127.0.0.1; it listens on the configured port on all interfaces by default. Origin/CORS restrictions only affect browsers; non-browser clients (or remote hosts that can reach the port) could attempt requests. The setup script also creates a LaunchAgent that will run the MCP server persistently. The documentation's claim 'MCP server only accepts requests from localhost' is therefore inaccurate/insufficient.

ℹ Install Mechanism

This is mostly instruction-only with included helper scripts; there is no opaque remote install URL. Installation runs docker compose (pulling Home Assistant from ghcr.io) and npm install in the ha-mcp-server folder (package.json only depends on dotenv, but package-lock contains many entries). The setup script runs docker (including a fallback docker run with --privileged and host networking) and installs a LaunchAgent. These are expected for a local Home Assistant integration but grant the container broad host privileges and persistent behavior — standard for HA but worth noting.

⚠ Credentials

The skill requires a Home Assistant Long-Lived Access Token (HA_TOKEN) and HA_URL in an .env file for the MCP server to authenticate to Home Assistant. Requesting HA_TOKEN is appropriate for controlling Home Assistant, but the registry metadata did not declare any required env vars/primary credential (mismatch). The code reads .env from the skill directory and will include HA_TOKEN in Authorization headers to the local HA instance; ensure .env is protected (file permissions) because this token grants control over devices and automations.

⚠ Persistence & Privilege

The provided setup.sh installs a LaunchAgent under ~/Library/LaunchAgents to run the MCP server persistently and starts Home Assistant containers. Persistent LaunchAgents and a privileged Home Assistant container increase attack surface and permanence of the skill on the system. always:false (no forced inclusion), but the skill does persist itself as a per-user service if the user runs setup.sh.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install openclaw-xiaomi-home
安装完成后，直接呼叫该 Skill 的名称或使用 /openclaw-xiaomi-home 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.2.2

Fix entity ID documentation - entity IDs are device-specific, added finding guide

v1.2.1

Added XiaoAI TTS voice announcement via xiaoai_announce tool

v1.2.0

Fix: bearer token auth on MCP server, CORS restricted to localhost, declare HA_TOKEN credential

v1.1.3

Trigger re-scan: clarify HA_TOKEN stays local only

v1.1.2

Add security section: clarify HA_TOKEN stays local, no LLM, no exfiltration

v1.1.1

Rewrite tagline: your OpenClaw controls your smart home via Home Assistant

v1.1.0

Rewrite: plain language descriptions, user benefit focus instead of technical jargon

v1.0.2

Professional docs rewrite — English only, security transparency, deduplicate content

元数据

Slug openclaw-xiaomi-home

版本 1.2.2

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 8

常见问题

Xiaomi Home Control 是什么？

Control Xiaomi/Mijia smart home devices via Home Assistant using natural language to manage lights, AC, locks, fans, sensors, and more locally. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 156 次。

如何安装 Xiaomi Home Control？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-xiaomi-home」即可一键安装，无需额外配置。

Xiaomi Home Control 是免费的吗？

是的，Xiaomi Home Control 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Xiaomi Home Control 支持哪些平台？

Xiaomi Home Control 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Xiaomi Home Control？

由 canmaxfire（@canmaxfire）开发并维护，当前版本 v1.2.2。