← 返回 Skills 市场
Xiaomi
作者
yiqiezhenxi
· GitHub ↗
· v1.0.0
1596
总下载
2
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install xiaomi-home-skill
功能描述
[English] Control Xiaomi Home devices via local LAN using miiocli. Supports status checks, toggling power, and MIOT property manipulation for devices like smart plugs, humidifiers, and rice cookers. | [中文] 通过局域网利用 miiocli 控制米家智能设备。支持查看状态、开关控制以及对智能插座、加湿器、电饭煲等 MIOT 设备的属性调优。
安全使用建议
This skill's goal (local miiocli-based control of Xiaomi devices) is reasonable, but take care before installing:
- The SKILL.md promises a "scripts/token_extractor.py" and other scripts but the package contains no such files; ask the publisher where the extractor script comes from and inspect it before running. Token extractors require your Xiaomi account credentials and will yield device tokens — treat these as highly sensitive.
- The install command embedded in SKILL.md will run pipx and then run pip inside a pipx venv using a hardcoded user-path (/Users/$(whoami)/.local/pipx/...). That may fail or act on unexpected paths; understand and approve any install commands before execution.
- If you obtain or run any token-extraction script, review its source to ensure it does not exfiltrate credentials to external servers. Prefer using official, audited tools and only store tokens in a secure location (not plain text references/*.md files).
- If you want to proceed, request the missing script(s) and documentation from the skill author or only run the steps in a controlled environment (e.g., an isolated VM) after code review.
Given the missing files and the brittle install instructions, I recommend treating this skill as untrusted until the author provides the extractor script and a clearer, platform-neutral install procedure.
功能分析
Type: OpenClaw Skill
Name:
Developer:
Version:
Description: OpenClaw Agent Skill
The skill is classified as suspicious due to the use of an `exec` command during installation, which involves direct shell execution (`pipx install python-miio && /Users/$(whoami)/.local/pipx/venvs/python-miio/bin/python -m pip install 'click<8.1.0'`) as specified in `SKILL.md`. While the command appears to be for legitimate dependency management and installation of the `python-miio` library, direct shell execution is a high-risk capability. Additionally, `SKILL.md` mentions a `scripts/token_extractor.py` script (not provided for analysis) intended to fetch sensitive device tokens from Xiaomi Cloud, which, if malicious, could pose a significant risk, even though the skill itself does not execute it.
能力评估
Purpose & Capability
The skill's functionality (using miiocli to control Xiaomi MIOT devices locally) matches the declared required binary (miiocli). However the SKILL.md advertises a "built-in Token Extractor" and scripts (e.g., scripts/token_extractor.py) that are not included in the package manifest, which is inconsistent with claiming those features are bundled.
Instruction Scope
Runtime instructions tell the agent/user to run a token extractor script and to store tokens in references/*.md. Those instructions require access to Xiaomi Cloud credentials and device tokens, but no guidance or included code for safe handling is provided. The instructions therefore reference files and sensitive operations (credential/token extraction and storage) that are not actually supplied.
Install Mechanism
Although the registry metadata lists no top-level install spec, the SKILL.md metadata contains an install entry that runs `pipx install python-miio` and then runs a pip install inside a pipx venv using a hardcoded path with `/Users/$(whoami)/.local/pipx/...`. This is brittle (assumes a particular pipx location and user home layout), will execute commands on the host, and alters a user-local venv to force a specific click version. These effects are reasonable for installing python-miio but are unexpected given the registry's "no install spec" claim and the hardcoded path is surprising and potentially problematic on non-matching systems.
Credentials
The skill declares no required environment variables or credentials, which superficially looks safe. However the token-extraction step inherently requires Xiaomi account credentials and access to device tokens; the skill does not declare how those credentials are provided or protected. That omission is a proportionality/clarity issue (it asks you to extract sensitive tokens but doesn't declare or document expected secrets handling).
Persistence & Privilege
The skill does not request always:true, does not require system config paths, and does not claim to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but is not combined with other high-privilege requests.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install xiaomi-home-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/xiaomi-home-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of Xiaomi Home skill.
- Control Xiaomi (Mi Home) devices over local LAN using miiocli.
- Check device status, toggle power, and modify MIOT properties for smart plugs, humidifiers, rice cookers, and more.
- Includes a token extractor script to easily fetch device IPs and tokens.
- Pre-configured example commands and workflows for common devices.
- Automatic fix for dependency conflicts (including the click library).
- Documentation and setup instructions provided in both English and Chinese.
元数据
常见问题
Xiaomi 是什么?
[English] Control Xiaomi Home devices via local LAN using miiocli. Supports status checks, toggling power, and MIOT property manipulation for devices like smart plugs, humidifiers, and rice cookers. | [中文] 通过局域网利用 miiocli 控制米家智能设备。支持查看状态、开关控制以及对智能插座、加湿器、电饭煲等 MIOT 设备的属性调优。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1596 次。
如何安装 Xiaomi?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install xiaomi-home-skill」即可一键安装,无需额外配置。
Xiaomi 是免费的吗?
是的,Xiaomi 完全免费(开源免费),可自由下载、安装和使用。
Xiaomi 支持哪些平台?
Xiaomi 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Xiaomi?
由 yiqiezhenxi(@yiqiezhenxi)开发并维护,当前版本 v1.0.0。
推荐 Skills