← 返回 Skills 市场
warm-winter

xiaoai-bridge

作者 冬暖夏凉 · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
797
总下载
4
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install xiaoai-bridge
功能描述
小米小爱音箱语音指令桥接。截取小爱音箱的语音消息,转换为 AI 助手指令,并通过 TTS 回复。支持触发词过滤、自动去重、后台监听。适用于通过小爱音箱语音控制 OpenClaw 助手、智能家居联动、语音任务执行等场景。
安全使用建议
This skill does roughly what it claims (connect to Xiaomi, poll voice messages, output JSON, and play TTS), but there are important red flags you should address before installing: - Do NOT use credentials included in the bundle (scripts/.mi.json). That file contains a passToken/serviceToken and device identifiers; treat it as compromised and remove it. Always use your own MI_PASS_TOKEN or a dedicated account. - The package metadata omitted required env vars — expect to provide MI_USER_ID, MI_PASS_TOKEN (recommended) or MI_PASSWORD, and MI_DEVICE_ID. Confirm these requirements with the code before running. - Inspect the @mi-gpt/miot dependency yourself (package-lock points to a Tencent mirror). If you cannot verify the registry/mirror, consider installing dependencies from the official npm registry or review the package source. - Because the listener continuously polls and prints conversation text, run the skill in an isolated environment (container or VM) to avoid accidental data leakage. Review logs carefully — the script will output user voice text and device info. - Replace any use of a real personal Xiaomi account with a dedicated/test account if possible. If you ever used the included tokens, rotate credentials immediately. - Investigate the prompt-injection warning in SKILL.md (base64 or other embedded payloads) and remove any unexpected or encoded content. If you are not comfortable auditing the dependency (@mi-gpt/miot) and removing the embedded .mi.json first, treat this skill as unsafe to install in a production environment.
功能分析
Type: OpenClaw Skill Name: xiaoai-bridge Version: 1.0.0 The skill bundle is classified as suspicious due to two critical vulnerabilities. Firstly, the `scripts/.mi.json` file contains hardcoded Xiaomi account credentials (userId and passToken), which is a severe accidental credential leak of the developer's secrets. Secondly, the `SKILL.md` documentation provides example code that uses `child_process.exec` to execute `xiaoai-listen.js speak "${text}"`. If the `text` variable, originating from AI agent responses to voice commands, contains shell metacharacters, it could lead to arbitrary command execution (RCE) due to lack of input sanitization in the recommended integration pattern.
能力评估
Purpose & Capability
The SKILL.md and scripts clearly require Xiaomi credentials (MI_USER_ID, MI_PASS_TOKEN or MI_PASSWORD, MI_DEVICE_ID) and use the @mi-gpt/miot library to access device messages and TTS. However, the registry metadata lists no required env vars/credentials — a clear mismatch. Including Xiaomi account tokens in scripts/.mi.json (hardcoded passToken, serviceToken, device info) is unnecessary for distribution and indicates careless handling of credentials or distribution of a pre-authenticated account.
Instruction Scope
The runtime instructions tell the agent/user to run node scripts that: log into a Xiaomi account, poll conversations, print device lists (DEBUG=true), and call TTS play functions. These operations legitimately require the Xiaomi credentials, but the skill also instructs copying .env.example (not present in manifest) and running background processes that will continuously poll and output conversation content. The SKILL.md contains a detected prompt-injection pattern (base64-block). The skill's instructions also recommend executing the listener via child_process.exec (examples), giving broad runtime control over the environment where the skill runs.
Install Mechanism
There is no formal install spec, but the SKILL.md expects 'npm install' in scripts/. The package.json and package-lock are included. The lockfile resolves dependencies via mirrors.tencentyun.com rather than the default npm registry — this may be normal for some users but is worth noting because it changes the provenance of dependencies. There are no arbitrary download URLs or archive extraction steps in the install spec.
Credentials
Functionally, requesting MI_USER_ID, MI_PASS_TOKEN/MI_PASSWORD, and MI_DEVICE_ID is proportional to the stated purpose. But the manifest declares no required env vars while the code and documentation require several secrets — an inconsistency. Worse, the bundle includes scripts/.mi.json with a full passToken, serviceToken, device IDs and other session data: shipping embedded credentials in a skill bundle is unsafe (they may be stale but are effectively leaked). Requiring MI_PASSWORD as an option is also high-risk (encourage passToken instead).
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not claim system-wide changes. It runs as a background process when started, which is expected for a listener. No privileges beyond network access and the Xiaomi credentials are requested.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install xiaoai-bridge
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /xiaoai-bridge 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of xiaoai-bridge skill. - Enables voice command integration with Xiaomi XiaoAi speakers for OpenClaw assistant and smart home scenarios. - Supports real-time voice message polling, trigger word filtering, duplicate message prevention, and background listening. - Converts XiaoAi voice input to AI assistant commands; replies via TTS on the speaker. - Provides simple configuration via environment variables and usage examples for integration and TTS playback. - Includes troubleshooting tips, best practices, and complete code samples for seamless adoption.
元数据
Slug xiaoai-bridge
版本 1.0.0
许可证
累计安装 0
当前安装数 0
历史版本数 1
常见问题

xiaoai-bridge 是什么?

小米小爱音箱语音指令桥接。截取小爱音箱的语音消息,转换为 AI 助手指令,并通过 TTS 回复。支持触发词过滤、自动去重、后台监听。适用于通过小爱音箱语音控制 OpenClaw 助手、智能家居联动、语音任务执行等场景。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 797 次。

如何安装 xiaoai-bridge?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install xiaoai-bridge」即可一键安装,无需额外配置。

xiaoai-bridge 是免费的吗?

是的,xiaoai-bridge 完全免费(开源免费),可自由下载、安装和使用。

xiaoai-bridge 支持哪些平台?

xiaoai-bridge 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 xiaoai-bridge?

由 冬暖夏凉(@warm-winter)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463368 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259467 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200457 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191163 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190189 · by oswalpalash

💬 留言讨论