Roku Control
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with the wrong device or unintended command, the agent could launch apps, send text, change volume, navigate menus, or power off a Roku on the local network.
The script sends unauthenticated local HTTP POST requests to a Roku device to perform remote-control actions. This is the advertised purpose, but it can still change device state.
url = f"http://{self.roku_ip}:{ROKU_PORT}/keypress/{key}"
response = requests.post(url, timeout=5)Use it only on a trusted LAN, verify the Roku IP address, and ask the agent to confirm before disruptive actions such as power, text entry, or app launching if that matters to you.
Installing Python packages can introduce dependency risk if done from an untrusted package index or uncontrolled environment.
The skill asks the user to install an external Python package without a pinned version. The dependency is common and expected for HTTP requests, but it is still a normal supply-chain consideration.
pip3 install requests
Install dependencies from a trusted package source, preferably in an isolated environment, and pin versions if you need reproducible installs.