Apple Media Remote (for HomePod, Apple TV, etc)

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Apple media remote helper, with disclosed device-control and streaming commands that fit its stated purpose.

Install this only if you want an agent to control your Apple media devices. Pairing creates reusable local credentials in ~/.pyatv.conf, so protect that file and remove it when you no longer trust the machine. Only ask the skill to stream files and URLs you intentionally want sent to your device.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 75% confidence
Finding: The skill states that pairing credentials are stored automatically in ~/.pyatv.conf but does not warn users that reusable device-control credentials will persist on disk. If that file is readable by other local users, included in backups, or mishandled, an attacker could reuse those credentials to control paired devices without re-pairing.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal