YouTube Music Cast
PassAudited by ClawScan on May 10, 2026.
Overview
The skill’s music casting workflow is coherent, but it asks users to run unreviewed helper scripts, use a Home Assistant token, and expose downloaded media on the local network.
Before installing, verify the missing install scripts from a trusted source, understand where the Home Assistant token will be stored, use the narrowest Home Assistant permissions available, and run the local media server only on networks you trust.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user obtains and runs those missing scripts from elsewhere, they would be trusting code that was not included in this review.
The reviewed package contains only SKILL.md and has no install spec or code files, but the instructions reference installer scripts that are not present for review.
chmod +x scripts/* ... ./install.sh --global ... Or install locally ./install.sh
Only run install.sh or scripts/* after inspecting them from a trusted source, and prefer a local/non-global install where possible.
A Home Assistant token may allow more control over the home environment than just music playback if it is mishandled or over-privileged.
A Home Assistant long-lived token is expected for sending playback commands, but it is sensitive authority and the registry metadata declares no primary credential or required environment variables.
The wizard will ask for: ... Long-Lived Access Token — Generate in HA → Profile → Long-Lived Access Tokens
Use a dedicated least-privilege Home Assistant account/token if possible, store it securely, and revoke it when no longer needed.
Other devices on the same network may be able to access hosted media if the server is reachable and not otherwise restricted.
The local web server is necessary for Chromecast playback, but it intentionally exposes downloaded media files to the local network.
A lightweight Python HTTP server makes your downloaded files accessible over your local network.
Run the server only on trusted networks, keep the served directory limited to intended media files, and stop the server when not in use.