Control Chromecast

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Chromecast control reference that can affect local Cast devices, but its capabilities are disclosed and match its purpose.

Install only if you want an agent to operate Chromecast or Google Cast devices on your local network. In shared homes or offices, use explicit device selection with `-d <device>`, confirm the target before casting or changing volume, and be cautious with `catt save`/`catt restore` because saved playback state may reveal or replay prior media.

SkillSpector

By NVIDIA

Vulnerability Patterns

Rogue AgentSelf-Modification, Session Persistence
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Low

Confidence: 95% confidence
Finding: The skill controls Chromecast devices over the local network and can discover or operate shared household/workplace devices, but the documentation does not clearly warn users about that scope. This can lead to unintended control of nearby devices, privacy surprises, or disruptive playback on shared TVs/speakers even if the underlying commands are legitimate.

Session Persistence

Medium

Category: Rogue Agent
Content: # Save current state (position, volume, what's playing) catt save # Restore saved state later catt restore ```
Confidence: 82% confidence
Finding: Restore saved state

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal