Stremio Casting

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says broadly, but its code quietly uses a hard-coded Stremio server address that does not match the documented local setup.

Review this skill before installing. Edit the script to point to your own Stremio service, remove or justify the disabled browser protections, and confirm the exact Chromecast device and selected stream before casting.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill description does not clearly warn that it intercepts a locally generated Stremio stream URL and forwards it to a Chromecast device. That omission reduces informed consent and can expose local service details or cause unintended content transmission to devices on the user's network.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal