Roku Control
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent local Roku remote-control skill, with the main things to notice being that it can change a TV/device state on your LAN and requires a manual Python dependency install.
Before installing, be comfortable with an agent sending local remote-control commands to a Roku device. Verify the target IP, keep use limited to your trusted network, and install the Python dependency from a trusted source.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with the wrong device or unintended command, the agent could launch apps, send text, change volume, navigate menus, or power off a Roku on the local network.
The script sends unauthenticated local HTTP POST requests to a Roku device to perform remote-control actions. This is the advertised purpose, but it can still change device state.
url = f"http://{self.roku_ip}:{ROKU_PORT}/keypress/{key}"
response = requests.post(url, timeout=5)Use it only on a trusted LAN, verify the Roku IP address, and ask the agent to confirm before disruptive actions such as power, text entry, or app launching if that matters to you.
Installing Python packages can introduce dependency risk if done from an untrusted package index or uncontrolled environment.
The skill asks the user to install an external Python package without a pinned version. The dependency is common and expected for HTTP requests, but it is still a normal supply-chain consideration.
pip3 install requests
Install dependencies from a trusted package source, preferably in an isolated environment, and pin versions if you need reproducible installs.