Back to skill
Skillv1.0.2
VirusTotal security
ClawTV · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:55 AM
- Hash
- b0a7ba7b39f72e8a2664a451a9b872e56df96054148f52f80ee35fe3c62408f5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawtv Version: 1.0.2 The skill is classified as suspicious due to critical vulnerabilities and high-risk capabilities, despite transparent disclosure. The `skill.md` and `clawtv.py` explicitly detail that sensitive credentials (Apple TV pairing tokens, Plex tokens) are stored unencrypted in `~/.clawtv/config.json`, posing a significant local compromise risk. Additionally, the skill captures and transmits potentially sensitive Apple TV screenshots to Anthropic's Claude API, a privacy concern, though this is also disclosed. The extensive use of macOS GUI automation via `osascript` and `subprocess.run` for screenshot capture, while necessary for functionality, grants the script broad control over the user's desktop environment. There is no evidence of intentional malicious behavior like unauthorized data exfiltration or persistence.
- External report
- View on VirusTotal