ClawHub

Stremio CLI

Security checks across malware telemetry and agentic risk

Overview

The skill is a narrow Stremio playback automation, but users should notice that it relies on a saved Stremio account and includes an unused legacy casting script.

Install only on the intended Mac Mini and account. Be comfortable with the agent using the saved Stremio login/browser session to search and play media. Consider deleting or auditing scripts/stremio_cast.py if you do not want any legacy stream-extraction or Chromecast/catt casting capability present.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script intercepts network requests to extract the underlying media stream URL and then uses that URL outside the Stremio UI flow. This is a hidden data/control flow not disclosed in the skill description, and it can bypass user expectations, application controls, or future access restrictions embedded in the normal player flow.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script sends media to an external playback device via `catt`, but the manifest only describes browser-based Stremio automation. Undisclosed control of external devices is security-relevant because it expands the skill's real-world reach and can trigger actions beyond what a reviewer or user would reasonably expect.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Executing the external `catt` command gives the skill the ability to control another device on the user's network, which is a privileged side effect beyond simple web automation. In this skill context, that is more dangerous because the code can cause unintended playback on a named device in the environment without an explicit, separately disclosed trust boundary.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Broad trigger phrases like everyday requests can cause the skill to activate unintentionally in contexts where the user did not mean to invoke media automation. In this skill, accidental invocation is more risky because it may use stored credentials and initiate browsing or streaming actions on an external machine without clear user intent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description references stored credentials in Keychain but does not present a clear warning or consent-oriented explanation that invoking the skill may use those credentials. Because the skill performs account-backed media actions, omission of that warning reduces informed consent and increases the chance of unauthorized or surprising account use.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal