当用户想连接、鉴权、检查、列出或控制小度智能屏 MCP 与小度 IoT MCP 时使用,包括查设备、文本播报、语音指令、拍照、资源推送、IoT 场景与家电控制,以及相关排障。
Security Analysis
high confidenceThis skill is internally coherent for controlling 小度 devices: its scripts and SKILL.md match the described purpose and require the user's MCP/OAuth credentials (stored locally), but you should inspect and consent to local config writes and an optional periodic refresh task before installing.
Name/description match what the files do: listing devices, TTS, photo, resource push, IoT control, and token refresh via mcporter and Baidu OAuth. The scripts call mcporter and the Baidu token endpoint, which is appropriate for the stated purpose. Minor metadata mismatch: registry metadata lists no required env vars/credentials, but the skill clearly requires user-held ACCESS_TOKEN/AppKey/SecretKey/refresh_token stored in ~/.mcporter and ~/.mcporter/xiaodu-iot-oauth.json.
SKILL.md and accompanying scripts explicitly instruct the agent to run local scripts and mcporter CLI, probe endpoints, and read/write mcporter credential/config files. All referenced files, paths (~/.mcporter/*, ~/.openclaw/workspace) and network calls (to the configured MCP endpoints and Baidu OAuth) are within the stated scope and purpose.
No install spec is provided (instruction-only skill). The repository includes shell/python helper scripts that will be placed on disk when the skill is installed; they are plain-text and not obfuscated. No remote downloads or third‑party package installs are forced by the skill itself (aside from advising mcporter or npx usage), so installation risk is low but scripts will run locally.
The skill legitimately needs sensitive credentials (ACCESS_TOKEN for MCP, and AppKey/SecretKey/refresh_token for IoT OAuth). Those are expected for the functionality, but the registry metadata does not declare required env vars or primary credentials—users may be surprised. The refresh script will write updated access tokens back into the user's mcporter config (~/.mcporter/mcporter.json) and update the oauth file (~/.mcporter/xiaodu-iot-oauth.json), which is expected for token refresh but is sensitive behavior (it mutates local credential files).
always:false and normal autonomous invocation; nothing force-included. The skill includes an optional macOS launchd installer script that installs a periodic token-refresh job under the user's LaunchAgents (launchctl bootstrap), which is explicit in docs. That creates persistent scheduled activity on the user's account if the user runs the installer — expected for token refresh but an important side-effect to accept consciously.
Guidance
This skill appears to do what it says: it uses mcporter to list and control 小度 devices and refresh Baidu OAuth tokens. Before installing or running: 1) Verify you trust the skill source (it will run local scripts and call mcporter). 2) Inspect the scripts (they are plain text) especially refresh_baidu_access_token.py and the launchd installer so you understand exactly what will be written to ~/.mcporter/*. 3) Backup your ~/.mcporter/mcporter.json and ~/.mcporter/xiaodu-iot-oauth.json before first run because the refresh script will modify them to write new tokens. 4) Do not share AppKey/SecretKey/refresh_token/ACCESS_TOKEN with others; keep files with restrictive permissions (chmod 600). 5) Only install the macOS launchd job if you want a scheduled background refresh running under your user account. 6) If you are unsure about mcporter or the dueros-iot-mcp stdio server, test commands manually (mcporter list / mcporter call and the included scripts) before allowing automated or agent-driven runs. If you want, provide the skill only with short-lived tokens and avoid checking 'install automatic refresh' until you confirm behavior.
Latest Release
v1.0.2
1.0.2版本:当用户想连接、鉴权、检查、列出或控制小度智能屏 MCP 与小度 IoT MCP 时使用,包括查设备、文本播报、语音指令、拍照、资源推送、IoT 场景与家电控制,以及相关排障。
Popular Skills
Published by @dueros-mcp on ClawHub
