ClawHub

ClawTV

Security checks across malware telemetry and agentic risk

Overview

ClawTV is a transparent Apple TV automation skill, but it needs review because it stores media-control credentials locally and uses broad macOS automation with a real script-injection weakness.

Install only if you are comfortable giving this script control of your Apple TV and optional Plex server, and with AI mode sending TV screenshots and goals to Anthropic. Use a budget-limited Anthropic key, avoid AI mode on account or billing screens, delete old screenshots, manually restrict ~/.clawtv/config.json permissions, and be cautious pairing with devices whose names you do not control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
end tell
    return false
    '''
    result = subprocess.run(["osascript", "-e", script], capture_output=True, text=True)
    if result.returncode != 0:
        print(f"QuickTime setup failed: {result.stderr}")
        return False
Confidence
96% confidence
Finding
result = subprocess.run(["osascript", "-e", script], capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill appears to use powerful capabilities including environment access, file read/write, network access, and shell execution without declaring corresponding permissions. That undermines user review and sandbox expectations, and can conceal sensitive operations such as credential access, local file manipulation, or command execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The declared purpose describes a remote-control skill, but the detected behavior includes broader local-network discovery, cloud-linked Plex resource access, direct app launching, text entry, playback metadata access, and desktop automation through AppleScript/System Events. This mismatch is dangerous because it masks a much larger attack surface and could let the skill interact with local devices, accounts, and host applications in ways a user would not reasonably expect.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill sends user goals and screenshots to Anthropic and reads an API key from the environment, but this external data flow is not clearly justified by the manifest description. In a skill context controlling a TV, hidden third-party transmission of screen content materially increases privacy risk because screenshots may contain personal viewing history, account names, or other sensitive on-screen data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly states that screenshots of the Apple TV are sent to Claude's vision API, but it does not clearly warn users that those screenshots may contain sensitive on-screen data such as account names, email addresses, search history, recommendations, billing/account settings, or other private content. In a tool designed to autonomously inspect arbitrary TV app screens, this omission creates a real privacy risk because users may unknowingly transmit personal or regulated content to a third-party AI service.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Apple TV screenshots are base64-encoded and sent to Anthropic in the vision loop without an explicit consent gate or prominent warning at the moment of transmission. In this skill's context, screen captures can expose entertainment choices, search queries, profiles, subscription data, and potentially sensitive QR codes or account information, making the undisclosed exfiltration a meaningful privacy vulnerability.

Missing User Warnings

Low
Confidence
86% confidence
Finding
Plex playback requests are sent to Anthropic for intent parsing without clear disclosure to the user. Although less sensitive than screenshots, media requests can still reveal personal preferences and viewing habits, so silently transmitting them to a third party is a privacy issue.

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyatv>=0.15.0
anthropic>=0.40.0
plexapi>=4.15.0
pyobjc-framework-Quartz>=10.0  # optional: QuickTime screenshot method
Confidence
95% confidence
Finding
pyatv>=0.15.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyatv>=0.15.0
anthropic>=0.40.0
plexapi>=4.15.0
pyobjc-framework-Quartz>=10.0  # optional: QuickTime screenshot method
Confidence
98% confidence
Finding
anthropic>=0.40.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyatv>=0.15.0
anthropic>=0.40.0
plexapi>=4.15.0
pyobjc-framework-Quartz>=10.0  # optional: QuickTime screenshot method
Confidence
94% confidence
Finding
plexapi>=4.15.0

Known Vulnerable Dependency: anthropic — 2 advisory(ies): CVE-2026-34450 (Claude SDK for Python has Insecure Default File Permissions in Local Filesystem ); CVE-2026-34452 (Claude SDK for Python: Memory Tool Path Validation Race Condition Allows Sandbox)

Low
Category
Supply Chain
Confidence
97% confidence
Finding
anthropic

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal