Skillv1.0.0

ClawScan security

Control Chromecast · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 11, 2026, 8:22 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose (controlling Chromecast) matches its requirements and runtime instructions: it simply wraps the 'catt' CLI and asks to install that package; nothing appears disproportionate or covert.
Guidance: This skill appears coherent and implements Chromecast control by invoking the catt CLI. Before installing, you should: (1) verify the catt package source on the linked GitHub repo and PyPI page to ensure you trust it; (2) be aware that 'pip' installs execute package code and will pull dependencies (yt-dlp, etc.); (3) accept that the tool needs local network access and may open TCP ports (45000–47000) for local-file casting — avoid enabling those ports on untrusted networks; (4) know the tool will write settings to ~/.config/catt/catt.cfg (device aliases/defaults); and (5) consider installing inside a virtual environment or isolated environment if you want to limit system-wide impact.

Review Dimensions

Purpose & Capability: okThe name/description are about controlling Chromecast devices and the skill only requires the 'catt' CLI (which is the expected tool for this purpose). No unrelated services, credentials, or binaries are requested.
Instruction Scope: okSKILL.md contains concrete catt command examples (scan, cast, play, pause, status, etc.). It references the catt config file (~/.config/catt/catt.cfg) and local-network requirements (mDNS, ports), which are expected for Chromecast control. The instructions do not ask the agent to read unrelated system files, harvest credentials, or transmit data to unexpected external endpoints.
Install Mechanism: noteInstall uses a Python package (uv/pip) to provide the 'catt' CLI (package name 'catt'). Installing from PyPI is common and appropriate here, but pip install runs arbitrary package code at install time and will pull in dependencies (e.g., yt-dlp, ffmpeg-related tooling). Recommend reviewing the catt package source (GitHub repo listed) and PyPI metadata before installing.
Credentials: okThe skill requests no environment variables or external credentials. This is proportional: controlling local Chromecast devices does not require cloud API keys. The only filesystem/config interaction is the user's catt config in their home directory, which is appropriate.
Persistence & Privilege: notealways is false (no forced inclusion). The skill will read/write its own config (~/.config/catt/catt.cfg) when using commands like set_default — this is expected but worth noting because it persists device aliases/defaults to the user's home config. Autonomous invocation by the agent is allowed (platform default); that is normal but increases impact if the installed package were malicious.