v1.0.0

Apple Media Officialpm 0.1.1

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:32 AM.

Analysis

This looks like a straightforward Apple media/AirPlay control skill, but it can scan your local network and control speakers or Apple TV devices through external tools.

GuidanceInstall this only if you want your agent to scan your local network for AirPlay devices and control local media playback or volume. Verify pyatv, Airfoil, and any sibling Airfoil skill before use, be cautious with Accessibility or pairing prompts, and avoid sharing scan outputs because they may include local device names and IP addresses.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

atvremote -n "TV" turn_on
atvremote -n "TV" turn_off
...
./scripts/volume.sh "Living Room" 35

The skill documents commands that can change Apple TV power/playback state and speaker volume. This is aligned with the stated media-control purpose, but users should know it can affect local devices.

User impactIf invoked at the wrong time or against the wrong device, the agent could change volume, route audio, or turn an Apple TV on or off.

RecommendationUse it only when you want local media-device control, and confirm target device names and volume levels before running control commands.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

pipx install pyatv || pipx upgrade pyatv
pipx reinstall pyatv --python python3.12
...
../airfoil/airfoil.sh list

The skill depends on an external pyatv installation and a sibling Airfoil skill/helper script. These dependencies are disclosed and purpose-aligned, but they are not fully captured by the registry requirements.

User impactInstalling or invoking the skill also places trust in external packages/tools outside the reviewed bundled scripts.

RecommendationInstall pyatv and Airfoil only from trusted sources, review the Airfoil skill separately, and avoid running dependency updates blindly in sensitive environments.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

README.md

Install Airfoil and grant Accessibility permissions.

The Airfoil-based control path may require macOS Accessibility permission, which is a meaningful local privilege. It is disclosed and consistent with speaker control, but users should grant it deliberately.

User impactGranting Accessibility permission expands what the Airfoil app may be allowed to control on the Mac.

RecommendationGrant Accessibility only to the trusted Airfoil app if you need speaker routing/volume control, and revoke it later if no longer needed.