YouTube Music Cast
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: ytm-cast Version: 6.0.0 The skill is classified as suspicious due to the requirement and storage of a Home Assistant Long-Lived Access Token in a plain text configuration file (`~/.youtube-music-cast/config.sh`), and the operation of a local HTTP server (`python3 -m http.server`) on the user's network. While these capabilities are necessary for the skill's stated purpose of casting music, they represent significant security risks by exposing sensitive credentials and opening a network port. There is no evidence of intentional malicious behavior or prompt injection attempts against the agent in the `SKILL.md`.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user obtains and runs those missing scripts from elsewhere, they would be trusting code that was not included in this review.
The reviewed package contains only SKILL.md and has no install spec or code files, but the instructions reference installer scripts that are not present for review.
chmod +x scripts/* ... ./install.sh --global ... Or install locally ./install.sh
Only run install.sh or scripts/* after inspecting them from a trusted source, and prefer a local/non-global install where possible.
A Home Assistant token may allow more control over the home environment than just music playback if it is mishandled or over-privileged.
A Home Assistant long-lived token is expected for sending playback commands, but it is sensitive authority and the registry metadata declares no primary credential or required environment variables.
The wizard will ask for: ... Long-Lived Access Token — Generate in HA → Profile → Long-Lived Access Tokens
Use a dedicated least-privilege Home Assistant account/token if possible, store it securely, and revoke it when no longer needed.
Other devices on the same network may be able to access hosted media if the server is reachable and not otherwise restricted.
The local web server is necessary for Chromecast playback, but it intentionally exposes downloaded media files to the local network.
A lightweight Python HTTP server makes your downloaded files accessible over your local network.
Run the server only on trusted networks, keep the served directory limited to intended media files, and stop the server when not in use.