← 返回 Skills 市场
380
总下载
0
收藏
2
当前安装
3
版本数
在 OpenClaw 中安装
/install xiaoai-speaker
功能描述
小爱音箱语音播报。一句话让小爱说话,无需编写代码,支持定时提醒、远程喊话、家庭传话。
安全使用建议
Before installing or running this skill: 1) Treat the MI_USER/MI_PASS credentials as sensitive — avoid storing plaintext passwords in ~/.zshrc or cron lines; prefer ephemeral environment variables or an account with limited scope. 2) Verify the upstream SDK (https://github.com/Yonsm/MiService) yourself before allowing the skill to clone/import it — review its code for unexpected network calls or exfiltration. 3) Prefer running the skill in an isolated environment (container/VM) if you must test it, so that the runtime clone can't affect your host. 4) Note the registry metadata omission: the skill actually requires MI_USER/MI_PASS though metadata lists none — treat metadata as unreliable. 5) If you accept the risk, consider modifying the code to avoid cloning into /tmp automatically and to prompt for credentials at runtime instead of persisting them. 6) The unicode-control-chars flag in SKILL.md is unusual — inspect SKILL.md for hidden characters before trusting automatic evaluation tools.
功能分析
Type: OpenClaw Skill
Name: xiaoai-speaker
Version: 1.0.2
The skill handles sensitive Xiaomi account credentials (MI_USER, MI_PASS) and relies on a high-risk dependency management pattern. Specifically, scripts in the `scripts/` directory hardcode a search path to `/tmp/MiService`, a world-writable directory, which is vulnerable to local module hijacking. Furthermore, while `SKILL.md` claims the skill 'automatically installs' dependencies via `git clone` at runtime, the provided code lacks this logic, creating a discrepancy that might induce an AI agent to execute untrusted shell commands to satisfy the dependency.
能力评估
Purpose & Capability
The name/description and the code align: the skill needs a Xiaomi account (MI_USER/MI_PASS) and uses a Xiaomi SDK (MiService) to call the cloud and perform TTS. However the registry Requirements section lists no required environment variables while both SKILL.md and all scripts clearly require MI_USER and MI_PASS (and optionally MI_DEVICE_NAME/MI_DEVICE_ID). That metadata omission is an important incoherence.
Instruction Scope
Instructions ask the user to set credentials (and even append them to ~/.zshrc), run cron entries that embed credentials, and clone a third‑party GitHub repo into /tmp for runtime imports. The scripts read only Xiaomi-related env vars, but the practice of persisting plaintext credentials to shell rc and executing code imported from /tmp increases risk. SKILL.md also contains detected unicode control characters (prompt-injection signal), which is suspicious and should be reviewed.
Install Mechanism
There is no formal install spec; instead the README/SKILL.md and a 'security' note instruct cloning https://github.com/Yonsm/MiService into /tmp and the Python scripts import from /tmp/MiService. That means third-party code will be downloaded at runtime and executed via imports, which is higher risk than using a vetted package. The GitHub source is plausible for the SDK, but the download-and-import behavior is not enforced/verified by the package metadata.
Credentials
Requested secrets (MI_USER, MI_PASS) are appropriate for controlling a Xiaomi cloud account. But the skill metadata did not declare these required env vars (incoherent). Also the SKILL.md recommends storing credentials in shell rc and cron commands show credentials inline, which increases exposure risk and is disproportionate to the minimum needed for transient runs.
Persistence & Privilege
The skill does not request platform-level privileges or 'always' inclusion. However instructions encourage persistent changes to the user environment (appending env vars/aliases to ~/.zshrc, adding cron jobs) and the runtime behavior depends on cloning external code into /tmp, which affects the system beyond a transient run and raises persistence concerns.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install xiaoai-speaker - 安装完成后,直接呼叫该 Skill 的名称或使用
/xiaoai-speaker触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
xiaoai-speaker 1.0.2
- Switched configuration to environment variables (MI_USER, MI_PASS, MI_DEVICE_NAME) for improved security and usability.
- Updated documentation for faster setup and environment variable usage.
- Refined CLI usage instructions and advanced use examples.
- Clarified dependency handling; MiService SDK is now auto-installed if missing.
- Enhanced FAQ, usage tips, and security notes in the documentation.
v1.0.1
- 移除了 scripts/server.py 文件,清理了冗余脚本
- 其余功能及文档未变化
v1.0.0
xiaoai-speaker 1.0.0 初始版本发布:
- 支持通过 OpenClaw 向小爱音箱发送一句话语音播报,无需编写代码
- 提供一键配置和多设备选择,轻松用于定时提醒、家庭助手等场景
- 集成 OpenClaw cron,可设置自动化语音任务
- 支持设备列表查看和语音播报测试
- 账户信息本地存储,确保安全和隐私
元数据
常见问题
小爱音箱语音播报 是什么?
小爱音箱语音播报。一句话让小爱说话,无需编写代码,支持定时提醒、远程喊话、家庭传话。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 380 次。
如何安装 小爱音箱语音播报?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install xiaoai-speaker」即可一键安装,无需额外配置。
小爱音箱语音播报 是免费的吗?
是的,小爱音箱语音播报 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
小爱音箱语音播报 支持哪些平台?
小爱音箱语音播报 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 小爱音箱语音播报?
由 zkfan(@zkfan)开发并维护,当前版本 v1.0.2。
推荐 Skills