Apple Media
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears to do what it says: scan and control local Apple/AirPlay devices, with user-visible local commands and no evidence of hidden data exfiltration or destructive behavior.
This skill looks coherent for Apple/AirPlay discovery and control. Before installing, make sure you trust pyatv, Airfoil, and any referenced sibling airfoil skill; understand that scans reveal local device details; and confirm before letting an agent change playback, volume, speaker routing, or Apple TV power state.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked, the skill may discover nearby AirPlay devices and change speaker volume, routing, playback, or Apple TV power state.
The skill intentionally exposes local network discovery and media-device control. This is purpose-aligned, but it can affect real devices on the user's network.
Discover and control Apple media/AirPlay devices ... scan for AirPlay devices, map names→IPs/IDs, pair/connect, and control playback/volume
Use it only on networks and devices you own or administer, and confirm before issuing playback, volume, connect/disconnect, or power commands.
Running the JSON scan executes the locally installed atvremote command and may perform local network discovery.
The helper runs a local shell command to scan for devices. This is expected for the skill, and the timeout is converted to a number before interpolation.
const out = execSync(`atvremote scan -t ${Number(timeoutSec)}`, { encoding: 'utf8' })Ensure pyatv/atvremote is installed from a trusted source and review command output before sharing it.
The behavior depends on whichever pyatv version pipx installs or upgrades, and on local Airfoil tooling for speaker control.
The setup relies on an external Python package installed or upgraded outside a pinned install spec. This is disclosed and relevant to the purpose, but users should trust the dependency.
pipx install pyatv || pipx upgrade pyatv
Install pyatv and Airfoil from trusted sources, consider pinning versions in your own environment, and verify the sibling airfoil skill before using the connect/volume wrappers.
Granting Accessibility permissions gives Airfoil broader ability to control parts of the local macOS environment.
Airfoil may require macOS Accessibility permission, which is a sensitive local privilege. This is disclosed and aligned with speaker control.
Install Airfoil and grant Accessibility permissions.
Grant Accessibility permissions only to trusted, official Airfoil installations and revoke them if you stop using the skill.
Scan results may reveal names, IP addresses, and identifiers of devices on your local network.
The skill’s outputs can include local device addresses and identifiers. There is no evidence of exfiltration, but this information may be sensitive if saved or shared.
The scan output includes IP addresses at runtime; do not commit scan outputs.
Avoid posting or committing scan logs, and treat device names, IPs, and identifiers as private local-network information.