← 返回 Skills 市场
158
总下载
2
收藏
1
当前安装
6
版本数
在 OpenClaw 中安装
/install xiaomi-miot-lan
功能描述
小米米家智能家居控制技能。通过小爱音箱、米家设备控制灯光、空调、扫地机器人等小米IoT设备。当用户说"开灯"、"关空调"、"让扫地机器人扫地"等智能家居控制指令时使用。
安全使用建议
This skill appears to implement the described Xiaomi login and device-control flow and uses Feishu to present login cards — that part is coherent. However, the code contains a hard-coded Xiaomi client_secret in login_card.py that contradicts the SKILL.md guidance to pass secrets via environment variables. Before installing or using this skill:
- Do not reuse production secrets. Create and use dedicated test FEISHU and Xiaomi OAuth credentials so you can revoke them if needed.
- Ask the author to remove the hard-coded client_secret and rely solely on the XIAOMI_CLIENT_SECRET env var (or confirm why the hard-coded value is present). Hard-coded secrets may indicate sloppy engineering or a leaked/stale credential.
- Inspect (or request) the full code beyond the truncated portion to confirm there are no additional unexpected network endpoints or data exfiltration.
- Verify the token cache path (~/.openclaw/skills/xiaomi-miot/data/token_cache.json) is acceptable for your threat model and ensure filesystem permissions are strict (owner-only).
If the author cannot justify or remove the embedded client_secret, treat this as a significant red flag and avoid installing it in production environments.
功能分析
Type: OpenClaw Skill
Name: xiaomi-miot-lan
Version: 1.4.0
The skill implements Xiaomi Mi Home integration but exhibits high-risk security practices. Most notably, SKILL.md instructs the AI agent to collect the user's Xiaomi password in plain text via the chat interface, exposing it to the LLM and the platform. Additionally, the skill stores sensitive authentication tokens in a local file (~/.openclaw/skills/xiaomi-miot/data/token_cache.json) and uses a hardcoded OAuth client secret in login_card.py. While these behaviors represent significant security vulnerabilities regarding credential handling, there is no clear evidence of intentional data exfiltration to unauthorized third-party domains beyond the official Xiaomi and Feishu endpoints.
能力评估
Purpose & Capability
Name/description (Xiaomi Miot device control) match the code and instructions: the skill implements login, token caching, and device list retrieval via Xiaomi APIs and uses Feishu to present interactive login cards. Requesting FEISHU_APP_ID/FEISHU_APP_SECRET (to send cards) and Xiaomi OAuth client id/secret is consistent with the described flow. However, one code file (login_card.py) hard-codes a Xiaomi client_secret value rather than using the declared environment variable, which contradicts the SKILL.md statement that secrets are passed via env vars.
Instruction Scope
SKILL.md describes a login flow, token caching path (~/.openclaw/skills/xiaomi-miot/data/token_cache.json), and the need to provide FEISHU and Xiaomi credentials. The runtime instructions and the code operate within that stated scope: they request credentials, prompt for captcha when needed, call Xiaomi APIs, and use Feishu APIs to show/update cards. The skill stores tokens locally in the declared cache path. There is no instruction or code that accesses unrelated system paths or sends data to third-party endpoints other than Xiaomi and Feishu.
Install Mechanism
No install spec (instruction-only) and a small requirements.txt with 'requests' only. This is a low-risk install pattern and consistent with an instruction-only Python skill.
Credentials
Requested environment variables (XIAOMI_CLIENT_ID/SECRET and FEISHU_APP_ID/SECRET) are appropriate for the listed capabilities. However, login_card.py contains a hard-coded Xiaomi client_secret string used in OAuth token calls, contradicting the SKILL.md claim '敏感信息通过环境变量传递,不硬编码在代码中'. This discrepancy is a meaningful inconsistency: either the code will ignore the provided CLIENT_SECRET env var (leading to unexpected behavior), or the author accidentally embedded a secret. Hard-coded client secrets are a risk because they may leak or be reused incorrectly.
Persistence & Privilege
The skill does persist the OAuth token to ~/.openclaw/skills/xiaomi-miot/data/token_cache.json as described in SKILL.md; this is expected for an integration that needs reusable tokens. The skill is not marked always:true and does not request system-wide privileges or alter other skills' configs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install xiaomi-miot-lan - 安装完成后,直接呼叫该 Skill 的名称或使用
/xiaomi-miot-lan触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.4.0
修复 bug:多处 resp.json() 未处理 &&&START&&& 前缀导致 JSON 解析失败;优化登录流程
v1.3.0
安全修复:移除硬编码凭证,改用环境变量;修复依赖 mismatch(aiohttp→requests)
v1.2.0
修复安全问题:移除包含敏感信息的 data/config.json,Token 缓存改为运行时生成
v1.1.0
全平台兼容版:移除卡片依赖,改用纯文字交互,支持飞书/企微/钉钉/网页/终端所有平台
v1.0.1
修复认证流程:使用 OAuth2 + macaroon token,成功获取设备列表,支持路由器和小爱音箱控制
v1.0.0
小米米家智能家居控制技能,支持设备列表查询、开关控制、场景触发等
元数据
常见问题
Xiaomi Miot 是什么?
小米米家智能家居控制技能。通过小爱音箱、米家设备控制灯光、空调、扫地机器人等小米IoT设备。当用户说"开灯"、"关空调"、"让扫地机器人扫地"等智能家居控制指令时使用。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 158 次。
如何安装 Xiaomi Miot?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install xiaomi-miot-lan」即可一键安装,无需额外配置。
Xiaomi Miot 是免费的吗?
是的,Xiaomi Miot 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Xiaomi Miot 支持哪些平台?
Xiaomi Miot 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Xiaomi Miot?
由 woodylan(@lanlan314)开发并维护,当前版本 v1.4.0。
推荐 Skills