Back to skill

Security audit

Chromecast With Google Tv

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Chromecast control skill, but it needs review because weak input validation can expose a paired TV to unsafe ADB shell commands.

Install only if you are comfortable enabling ADB wireless debugging on the Chromecast and giving the skill control of that device. Use it on a trusted network, pass explicit device details, avoid untrusted Tubi URLs or arbitrary search strings, and disable Wireless/USB debugging or remove old ADB pairings when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill explicitly uses environment variables, reads and writes a local cache file, performs network communication to Chromecast devices over ADB, and invokes shell-executed tools like adb, scrcpy, uv, and yt-api, yet no permissions are declared. This creates a transparency and trust problem: users and orchestrators may authorize or invoke the skill without understanding that it can access the network, persist device information, and execute host binaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The stated purpose frames the skill as simple 'casting,' but the documented behavior includes ADB wireless pairing, device discovery, connectivity inspection, host-side caching, Android intent launching, and UI automation across arbitrary streaming apps. That mismatch can mislead users and policy systems about the actual level of device control, causing overbroad access to be granted to a skill that effectively performs remote control and app automation on a TV device.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The skill description frames this as media casting, but the code also performs ADB wireless pairing, connection management, device discovery, and generic media-control actions against a TV device. That broader capability increases the chance a caller or reviewer underestimates the level of device access being granted and could lead to unintended remote control of a paired device.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The global-search fallback accepts arbitrary `--app` names and launches a separate helper for UI automation, which extends behavior beyond the clearly described YouTube/Tubi casting use case. In context, this broadens the skill from constrained casting into more open-ended app automation on a paired device, increasing abuse potential if invoked unexpectedly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to enable Developer Options, USB debugging, and Wireless debugging on a consumer streaming device, but does not warn that these settings materially weaken device security. If left enabled, especially over Wi‑Fi, an attacker on the same network or someone with prior pairing access could potentially connect, control the device, install apps, or access debugging capabilities. In this skill’s context, ADB access is required for functionality, which makes the behavior understandable, but the absence of prominent security guidance is still a real security weakness.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The invocation guidance is broad enough to trigger on general requests to play, pause, check status, pair devices, or launch content in other apps, without clear exclusion boundaries. In practice, that increases the chance of accidental activation of a skill that can connect to devices over ADB and automate UI actions, potentially causing unintended device control or pairing workflows.

Unvalidated Output Injection

High
Category
Output Handling
Content
addr = f"{ip}:{port}"
    cmd = ['adb', 'pair', addr, code]
    try:
        p = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout)
        out = (p.stdout or '') + (p.stderr or '')
        # Treat adb's return code as the primary success indicator. The output may contain
        # phrases like "Successfully paired" or "paired to", but that is not required.
Confidence
84% confidence
Finding
subprocess.run(cmd, capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
cmd += ['-s', device]
    cmd += list(args)
    try:
        p = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout)
        out = (p.stdout or '') + (p.stderr or '')
        return p.returncode, out
    except FileNotFoundError:
Confidence
86% confidence
Finding
subprocess.run(cmd, capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
"""
    for bin_path in yt_api_candidates():
        try:
            p = subprocess.run([bin_path, 'search', query], capture_output=True, text=True, timeout=15)
            out = (p.stdout or '').strip()
            if p.returncode != 0:
                continue
Confidence
83% confidence
Finding
subprocess.run([bin_path, 'search', query], capture_output

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.