ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Apple Media Remote (for HomePod, Apple TV, etc)

v1.0.0

Control Apple TV, HomePod, and AirPlay devices via pyatv (scan, stream, playback, volume, navigation).

5· 2.8k·17 current·17 all-time
by@aaronn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (control Apple TV/HomePod/AirPlay via pyatv) match the declared requirements (atvremote binary) and the runtime instructions. No unrelated binaries, environment variables, or config paths are requested.
Instruction Scope
SKILL.md only instructs use of atvremote commands (scan, play, volume, pairing, streaming local files/URLs). It explicitly performs local network discovery and pairing; it does not instruct reading unrelated system files or exporting data externally. Note: pairing credentials are stored in ~/.pyatv.conf after pairing (expected for this tool).
Install Mechanism
The registry showed no formal install spec, but SKILL.md contains metadata recommending 'pipx install pyatv --python python3.13' (a reasonable installation method). Installing from PyPI via pipx is moderate-risk compared with no install; there are no arbitrary URL downloads or extract steps.
Credentials
No environment variables or external credentials are requested. The only persisted credential-like artifact is the local pairing configuration (~/.pyatv.conf), which is proportional to the skill's purpose (paired control of devices).
Persistence & Privilege
Skill is not always:true and is user-invocable (defaults). The agent can invoke the skill autonomously (disable-model-invocation=false) — this is the platform default. Because the skill controls local devices and stores pairing tokens locally, consider the implications of allowing autonomous invocation, but this configuration is not inherently incoherent.
Assessment
This skill appears to be what it says: a wrapper for pyatv/atvremote to control local Apple devices. Before installing, verify the pyatv package source (use official PyPI), and prefer installing via pipx as recommended. Be aware that pairing will create ~/.pyatv.conf containing credentials that allow device control — review and protect that file. Because the skill can scan your local network and control devices, only enable autonomous invocation if you trust the agent; otherwise keep it user-invocable and run commands yourself. If you want extra assurance, inspect the upstream repository (homepage) and run atvremote manually once to confirm behavior before giving the skill regular use.

Like a lobster shell, security has layers — review code before you run it.

latestvk978wyd4pzjyxeevd42ka674bh7zsxvy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎛️ Clawdis
Binsatvremote

Comments