ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Send2tv

v1.2.0

Push text messages, images, or audio to Huawei Smart Screen via DLNA/UPnP. Use when user wants to display something on TV or play audio/TTS on TV. Triggers:...

1· 153·0 current·0 all-time
bySeanShen@seanshen-lec
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md match the stated purpose (push text/images/audio to a DLNA TV). However the package embeds hardcoded TV and local IPs (TV_IP=192.168.3.252, LOCAL_IP=192.168.3.53) and a specific HTTP port (8082) in both documentation and code — unusual for a generic 'send to TV' skill. The metadata claimed no required binaries or env, but the script expects external tools (node, ffmpeg, fuser) and fonts, which is an incoherence between declared requirements and actual needs.
!
Instruction Scope
The SKILL.md and script instruct the agent to start an HTTP server bound to 0.0.0.0:8082, kill other processes on that port (fuser -k), read/write files under /tmp and font paths, and invoke other skills' node script files (edge-tts paths under user/root skill directories). The HTTP server will expose served content on the host network; the script also directly opens TCP connections to a hardcoded TV IP/port to send raw SOAP. The instructions reference and rely on files outside the skill (edge-tts converter in other skill directories) and on binaries that are not declared in metadata.
Install Mechanism
There is no install spec (instruction-only with included script), which minimizes install-time risk. However the provided code will write to /tmp, start a network server, and execute external commands at runtime — the lack of an install step doesn't eliminate runtime risk.
Credentials
The skill declares no environment variables or credentials, which aligns with its simple LAN use-case. But the script accesses other skills' filesystem locations (e.g., /root/.claude/skills/edge-tts and user home paths) and expects external tools (node, ffmpeg) and specific fonts — these are not declared as required environment/binaries, so the declared environment access is incomplete and mismatched with actual behavior.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges. It does not modify other skills or platform-wide configuration in the visible code. The main privilege is runtime network access (binding 0.0.0.0) and spawning subprocesses.
What to consider before installing
This skill generally does what it claims (pushes images/audio to a DLNA TV) but has several red flags you should consider before installing or running it: - Hardcoded network addresses: The SKILL.md and script hardcode TV and local IPs and an HTTP port. You should update these to match your environment or confirm they won't leak/private connect to devices you don't control. - Undeclared external tools: The script invokes node (edge-tts converter), ffmpeg (audio conversion), and fuser (to free the HTTP port) but the skill metadata declares no required binaries. Install and audit these dependencies, and ensure you trust any externally executed scripts (especially the edge-tts converter referenced in other skill folders). - Network exposure: The script starts an HTTP server bound to 0.0.0.0:8082 and serves files from /tmp. If your machine is reachable from other hosts, content could be fetched by anyone on the network; ensure firewall rules limit access to your LAN and that the port is correct. - Cross-skill file access: The TTS implementation looks for converter JS files in other skills' directories (including /root paths). That means this skill will read & execute code from other skill folders; verify those files are trustworthy and that path assumptions match your installation. - Mismatch between docs and code: The skill text suggests installing an 'edge-tts' skill; this dependency is required at runtime but not declared in metadata. Treat that as a runtime dependency. Recommended actions: review the full (non-truncated) script before running; change/remove hardcoded IPs or make them configurable; run in an isolated environment or behind a firewall; verify and install only trusted node/ffmpeg/font packages; and inspect any edge-tts converter JS before allowing this skill to execute it. If you want to proceed, prefer running it manually rather than granting it autonomous invocation until you confirm safe behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk978y7ctp746t2pm2sx4k2dv0h83z8hn
153downloads
1stars
4versions
Updated 2w ago
v1.2.0
MIT-0
SeanShen@seanshen-lec
latest
Download

send2tv

Push text, images, or audio to Huawei Smart Screen V75 (or other DLNA-compatible TVs) via UPnP AVTransport protocol.

Quick Usage

# Text (Chinese supported)
python3 scripts/send2tv.py "快去写作业!"

# Text with custom font size
python3 scripts/send2tv.py "Warning!" --font-size 300

# Image file
python3 scripts/send2tv.py --image /path/to/photo.jpg

# Image with text overlay
python3 scripts/send2tv.py --image /path/to/photo.jpg --text "Hello!"

# Audio file
python3 scripts/send2tv.py --audio /path/to/music.mp3

# TTS - Text to speech (requires edge-tts skill)
python3 scripts/send2tv.py --tts "这是一段要朗读的文字"
python3 scripts/send2tv.py --tts "Hello world" --voice en-US-MichelleNeural
python3 scripts/send2tv.py --tts "快点!" --rate +20%

How It Works

Image/Text mode:

  1. Renders text to 1920x1080 black image (or serves image directly)
  2. Starts local HTTP server on port 8082
  3. Sends DLNA/UPnP SOAP SetAVTransportURI + Play commands to TV
  4. TV downloads image via HTTP and displays it

Audio mode:

  1. Prepares audio file (converts to MP3 if needed)
  2. Starts local HTTP server on port 8082
  3. Sends DLNA/UPnP SOAP commands to TV
  4. TV streams audio via HTTP and plays it

TTS mode:

  1. Uses edge-tts to convert text to speech
  2. Pushes audio to TV via DLNA

TV Configuration

  • IP: 192.168.3.252
  • UPnP Port: 25826
  • HTTP Server Port: 8082
  • UPnP Service: urn:schemas-upnp-org:service:AVTransport:1

Font Notes

  • Chinese text uses WenQuanYi Zen Hei (文泉驿正黑), auto-detected
  • English text uses DejaVu Sans Bold
  • Font auto-scales to fit 1920x1080 (90% width max)

TTS Voices (for --tts mode)

Chinese:

  • zh-CN-XiaoxiaoNeural - female, natural (default)
  • zh-CN-YunyangNeural - male, natural
  • zh-CN-XiaoyiNeural - female, sweet
  • zh-CN-YunjianNeural - male, mature

English:

  • en-US-MichelleNeural - female, natural
  • en-US-AriaNeural - female, natural
  • en-US-GuyNeural - male, natural

See full list: https://speech.microsoft.com/portal/voicegallery

Troubleshooting

TV转圈不显示: 端口8082被防火墙拦。需要在Windows防火墙添加入站规则允许8080-8090端口。

文字太小/太大: 用 --font-size 调整,默认200像素。

图片推送失败: 确认图片路径存在且为有效图片文件。

音频不播放: 确认电视支持MP3格式,检查DLNA服务是否开启。

TTS失败: 确认已安装 edge-tts skill (skillhub install openclaw/skills/edge-tts)

Comments

Loading comments...