ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

roku

Control Roku devices via CLI. Discovery, remote control, app launching, search, and HTTP bridge mode for real-time control.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.9k · 1 current installs · 1 all-time installs
byGustavo Madeira Santana@gumadeiras
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims a TypeScript/Node CLI (roku-ts-cli) and the registry install uses an npm package that provides a 'roku' binary, but the packaged files are Python scripts that expect python-roku and requests. That mismatch (Node install but Python code included) is disproportionate and unexplained.
!
Instruction Scope
SKILL.md documents a CLI and an HTTP bridge service, but the repository files do not include an HTTP bridge implementation. Included Python daemons create /tmp/roku-control and /tmp/roku-daemon.sock and a Telegram poller that will call api.telegram.org — none of these runtime behaviours (especially Telegram polling) are declared in the skill metadata or required env vars.
!
Install Mechanism
Registry metadata/install spec installs the npm package 'roku-ts-cli' (moderate risk, expected for a Node CLI). However, the bundle contains Python scripts that require pip-installed dependencies (python-roku, requests) and no Python install steps are declared. This mismatch means the declared install mechanism does not provision artifacts the code needs.
!
Credentials
The skill declares no required env vars, but files expect ROKU_IP (used by daemon/listener/fast) and TELEGRAM_TOKEN (rok u-telegram.py will exit unless TELEGRAM_TOKEN is set). TELEGRAM_TOKEN gives outgoing network access to Telegram and is not listed in metadata; this under-reporting of credentials is a proportionality and transparency issue.
Persistence & Privilege
SKILL.md instructs how to install a persistent bridge service (launchd/systemd) and shows a --user option; the included code does spawn background daemons and creates named pipes/sockets under /tmp. The skill is not marked always:true, but it does include components that can run persistently — verify what actually installs as a service before enabling.
What to consider before installing
Do not install or run this skill without further review. Specific concerns: - The package claims a Node/TypeScript CLI but the shipped files are Python; verify the actual npm package (roku-ts-cli) and whether the binary on PATH is trusted and matches the code. - The bundle contains a Telegram poller (roku-telegram.py) that requires TELEGRAM_TOKEN and will poll api.telegram.org and write commands to a local pipe. If you set TELEGRAM_TOKEN, the skill will have network access to Telegram and can receive remote commands — only provide this token if you intend that behavior. - The code expects ROKU_IP in env or will attempt discovery; it also creates /tmp/roku-control and /tmp/roku-daemon.sock for inter-process control — check permissions and who can write to these pipes to avoid unauthorized control. - SKILL.md mentions an HTTP bridge service, but no bridge implementation is present in the shipped code; do not assume the bridge exists or is safe. What to do next: 1) Inspect the actual npm package 'roku-ts-cli' (source, versions, and install scripts) before installing the declared npm package. 2) If you only want CLI control, prefer the upstream project (GitHub link) and follow its documented install (python vs npm) — confirm which runtime is required. 3) If you must try this, run it in an isolated environment (VM/container) and do not expose TELEGRAM_TOKEN or other secrets until you confirm behavior. 4) Ask the publisher for clarifications: why Node install is declared when files are Python, and why TELEGRAM_TOKEN/ROKU_IP are not declared in metadata.

Like a lobster shell, security has layers — review code before you run it.

Current versionv2.0.0
Download zip
latestvk97bjmdry03b2mkrh7pqmqvvw57zy546

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📺 Clawdis
Binsroku

Install

Install Roku CLI (npm)
Bins: roku
npm i -g roku-ts-cli

SKILL.md

Roku CLI

Fast TypeScript CLI for controlling Roku devices via the ECP API.

Installation

npm install -g roku-ts-cli@latest

Quick Start

# Discover devices and save an alias
roku discover --save livingroom --index 1

# Use the alias
roku --host livingroom device-info
roku --host livingroom apps

Commands

CommandDescription
roku discoverFind Roku devices on network
roku --host <ip> device-infoGet device info
roku --host <ip> appsList installed apps
roku --host <ip> command <key>Send remote key
roku --host <ip> literal <text>Type text
roku --host <ip> search --title <query>Search content
roku --host <ip> launch <app>Launch app
roku --host <ip> interactiveInteractive remote mode

Interactive Mode

roku livingroom                    # interactive control
roku --host livingroom interactive # same thing

Use arrow keys, enter, escape for remote-like control.

Bridge Service

Run a persistent HTTP bridge as a native OS service:

# Install and start the service
roku bridge install-service --port 19839 --token secret --host livingroom --user
roku bridge start --user

# Service management
roku bridge status --user
roku bridge stop --user
roku bridge uninstall --user

Send commands via HTTP:

# Send key
curl -X POST http://127.0.0.1:19839/key \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer secret" \
  -d '{"key":"home"}'

# Type text
curl -X POST http://127.0.0.1:19839/text \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer secret" \
  -d '{"text":"hello"}'

# Launch app
curl -X POST http://127.0.0.1:19839/launch \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer secret" \
  -d '{"app":"plex"}'

# Health check
curl http://127.0.0.1:19839/health -H "Authorization: Bearer secret"

Bridge Endpoints

EndpointBody
POST /key{"key": "home"}
POST /text{"text": "hello"}
POST /search{"title": "Stargate"}
POST /launch{"app": "plex"}
GET /health
GET /health?deep=1Deep health check (probes Roku)

Aliases

# Save device alias
roku discover --save livingroom --index 1
roku alias set office 192.168.1.20

# Save app alias  
roku alias set plex 13535

# List aliases
roku alias list

# Use aliases
roku --host livingroom launch plex

Remote Keys

home, back, select, up, down, left, right, play, pause, rev, fwd, replay, info, power, volume_up, volume_down, mute

Notes

  • Roku must be on the same network as the CLI
  • Bridge service runs as a native launchd (macOS) or systemd (Linux) service
  • Use --user flag for user-space service (no sudo required)
  • Use --token for authentication in bridge mode

Source

https://github.com/gumadeiras/roku-cli

Files

8 total
Select a file
Select a file to preview.

Comments

Loading comments…