Chromecast With Google Tv

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Chromecast control skill, but it needs review because it grants ADB control of a TV device and weakly validates URLs before sending them into device commands.

Install only if you trust the publisher and are comfortable enabling ADB Wireless Debugging on your Chromecast. Use explicit device and port values, pass only trusted Tubi URLs and show names, avoid package override environment variables unless you need them, and disable wireless debugging or revoke pairing when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The code supports a generic global-search fallback for arbitrary streaming apps, which exceeds the narrowly described providers in the skill metadata. This broadens the action surface on a paired Android TV device and can cause the agent to automate unintended apps or content flows that the user did not expect from the published scope.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: Environment variables can override the target Android package names for VIEW intents, allowing the skill to direct URLs into arbitrary installed apps rather than the intended YouTube or Tubi packages. In an agent setting, this creates a hidden retargeting mechanism that could be abused to launch unrelated applications on the paired device and bypass the skill's stated purpose.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal