追剧/追番技能, 支持投屏到电视

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed media-search and TV-casting helper, with real but expected risks from external package runners and local TV control.

Install only if you trust the upstream mcporter and mcp-vods packages executed through npx and uvx. Treat casting as a real device-control action: confirm the media URL and target TV IP, and use it only with TVs you own or are allowed to control.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly supports casting media to devices on the user's local network via configured IP addresses, but the documentation does not clearly warn that invoking the tool causes real actions on network-connected TVs. This can lead to unintended device interaction, privacy issues, or misuse if an agent triggers playback without clear user confirmation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal