Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Stremio Casting
v1.0.0Busca conteúdo no Stremio Web e transmite para dispositivos Chromecast usando CATT e Playwright. Use para reproduzir filmes e séries diretamente do Stremio em TVs.
⭐ 0· 1.8k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description and SKILL.md claim the skill uses a local Stremio service on 127.0.0.1:11470, but the script's stremio_url is hard-coded to a stremio.rocks host (192-168-15-162.519b6502d940.stremio.rocks:12470). That external streamingServer parameter is not explained and is not required by the stated purpose (local Stremio). This is an incoherence between claimed purpose and actual behavior.
Instruction Scope
SKILL.md describes intercepting a local server URL and running Playwright to control Stremio; the script does automate the web UI and intercepts requests, but it only looks for URLs containing 'stremio.rocks' or .mp4, not 127.0.0.1. The script will therefore capture and cast remote URLs (and will send those URLs to the user's Chromecast). Visiting and executing the remote app UI (via Playwright) also executes whatever remote JavaScript/CSS the page serves, which could expose the agent environment to untrusted content.
Install Mechanism
There is no install spec; SKILL.md requires Playwright and catt but does not provide an installation step. This is not inherently malicious, but it means the agent/user must install dependencies manually and there's no pinned/verified source for those dependencies in the package metadata.
Credentials
The skill does not request environment variables, credentials, or config paths. It only requires local tools (Playwright, catt) and expects a Stremio service — the requested surface is proportional to the stated functionality, aside from the external streamingServer discrepancy noted above.
Persistence & Privilege
The skill is not always-enabled and uses normal, user-invoked behavior. It does not request elevated privileges or modify other skills' config. Autonomous invocation is allowed by default but is not combined here with other high-risk privileges.
What to consider before installing
Before installing or running this skill, consider the following:
- The script is hard-coded to use a remote stremio.rocks streamingServer (not the local 127.0.0.1 service described). That remote host will see your search/query activity and can serve arbitrary content; only proceed if you trust that host.
- If you expect local-only operation, edit the script to point to your local Stremio server URL (127.0.0.1:11470) and update the request-matching logic accordingly.
- Install Playwright and catt from official sources, and run the script in an isolated environment (container or VM) if you are unsure about the remote streamingServer.
- Ask the skill author to explain why the stremio_url contains a stremio.rocks host and to update SKILL.md to match the actual behavior, or to remove the hard-coded remote streamingServer and provide an install script that pins dependencies.
- If you cannot verify the remote host, do not run this skill on sensitive machines or networks; run it in a sandboxed environment where outbound connections are restricted.
What would change this assessment: If the author confirms the stremio.rocks URL is an official, trusted relay (with proof) or replaces the hard-coded URL with a configurable local address and updates SKILL.md to match, the skill would be coherent with its stated purpose and could be considered benign.Like a lobster shell, security has layers — review code before you run it.
latestvk971qey1xjnxkrmk1gdnmy9e35805xy2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.