Apple Media Remote (for HomePod, Apple TV, etc)
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked, the agent can change playback, volume, power state, app state, output grouping, or stream chosen media to local devices.
The skill documents state-changing commands for local media devices, including volume, power, and streaming a local file. This is expected for a remote-control skill, but it is real device-control authority.
atvremote -n "Kitchen" set_volume=50 ... atvremote -n "Apple TV" turn_off ... atvremote -n "Kitchen" stream_file=/path/to/audio.mp3
Use explicit device names and actions, and review or confirm disruptive commands such as turn_off, high volume changes, speaker grouping, or streaming files.
After pairing, future atvremote commands may control the paired Apple device without repeating the pairing step.
Pairing creates a persistent local credential/config file that can be reused for future control of paired devices. The behavior is disclosed and directly related to the skill purpose.
Some devices (especially Apple TV) require pairing before control ... Credentials are stored automatically in `~/.pyatv.conf` after pairing.
Pair only trusted devices, protect ~/.pyatv.conf, and remove or rotate pairing credentials if you no longer want this access.
Installation will pull the current pyatv package available to pipx, which may change over time.
The skill recommends installing the external pyatv package through pipx without pinning a version. This is central to the stated purpose and user-directed, but users should recognize the dependency provenance.
"command":"pipx install pyatv --python python3.13"
Install from a trusted package source and consider pinning or verifying the pyatv version if you need reproducible behavior.