roku

Do not install or run this skill without further review. Specific concerns: - The package claims a Node/TypeScript CLI but the shipped files are Python; verify the actual npm package (roku-ts-cli) and whether the binary on PATH is trusted and matches the code. - The bundle contains a Telegram poller (roku-telegram.py) that requires TELEGRAM_TOKEN and will poll api.telegram.org and write commands to a local pipe. If you set TELEGRAM_TOKEN, the skill will have network access to Telegram and can receive remote commands — only provide this token if you intend that behavior. - The code expects ROKU_IP in env or will attempt discovery; it also creates /tmp/roku-control and /tmp/roku-daemon.sock for inter-process control — check permissions and who can write to these pipes to avoid unauthorized control. - SKILL.md mentions an HTTP bridge service, but no bridge implementation is present in the shipped code; do not assume the bridge exists or is safe. What to do next: 1) Inspect the actual npm package 'roku-ts-cli' (source, versions, and install scripts) before installing the declared npm package. 2) If you only want CLI control, prefer the upstream project (GitHub link) and follow its documented install (python vs npm) — confirm which runtime is required. 3) If you must try this, run it in an isolated environment (VM/container) and do not expose TELEGRAM_TOKEN or other secrets until you confirm behavior. 4) Ask the publisher for clarifications: why Node install is declared when files are Python, and why TELEGRAM_TOKEN/ROKU_IP are not declared in metadata.