streaming-obs-bootstrap
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches OBS scene setup, but it can expose your whole workspace over a persistent LAN web server and its “dry run” can start a real stream.
Install only if you are comfortable with an agent controlling OBS. Before running it, back up your OBS scene collection, confirm the target OBS host, avoid running the stream dry-run unless you are ready for a real broadcast, and restrict or stop the LAN HTTP server so it does not expose unrelated workspace files.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Other machines on the network may be able to browse or download files from your workspace while the server is running.
The server is LAN-reachable and serves the entire workspace directory, not just overlay files, which can expose unrelated private project files to devices that can reach the port.
nohup python3 -m http.server "$PORT" --directory "$WORKSPACE" > "$LOG" 2>&1 & ... echo "LAN base URL: http://$IP:$PORT"
Serve only a dedicated overlay directory, bind to the minimum needed interface, use firewall/access controls where possible, and document how to stop the server.
The web server may keep running after the setup task ends, continuing to expose files until manually stopped.
The overlay server is launched as a background nohup process and the artifacts do not provide a stop command or lifecycle boundary.
nohup python3 -m http.server "$PORT" --directory "$WORKSPACE" > "$LOG" 2>&1 &
Add a documented stop command, PID file, scoped service lifecycle, or foreground mode so users can clearly control when the server is active.
Running this command can briefly broadcast publicly or to the configured streaming destination, even if the user expects a non-broadcast test.
The helper named as a dry run starts OBS streaming for real against the configured OBS profile, which may use an existing live stream key.
mcporter call 'obs.start_streaming()' >/dev/null ... sleep "$SECONDS_ON_AIR" ... mcporter call 'obs.stop_streaming()' >/dev/null
Require explicit user confirmation before calling start_streaming, clearly warn that it may go live, and offer a true non-broadcast test path when possible.
Existing OBS scenes with those names may be deleted or replaced.
Rebuilding scenes is core to the skill, but the script removes named OBS scenes before recreating the pack.
for s in "Workspace Overlay Test" "Main Live" "Intro" ...; do mc "obs.remove_scene(scene_name: \"$s\")" || true done
Back up the OBS scene collection first, or document exactly which scene names will be overwritten.
Commands may control a different OBS instance than expected if the target is changed and not reset.
The skill persistently changes the local agentic-obs target configuration, so later OBS commands may affect the selected local or LAN OBS host.
DB="${AGENTIC_OBS_DB:-$HOME/.agentic-obs/db.sqlite}"
sqlite3 "$DB" "update config set value='$HOST' ... where key='obs_host';"Verify the OBS host and port before running scene, recording, or streaming helpers, and reset the target after migration if needed.
The skill may fail or affect an unexpected environment if prerequisites are not already installed and configured.
The registry metadata does not declare runtime dependencies or config paths, while SKILL.md and scripts require tools and configuration such as mcporter, OBS WebSocket, sqlite3, python3, and agentic-obs.
Required binaries (all must exist): none ... Required config paths: none
Declare required binaries/configuration in metadata and have users verify the OBS and agentic-obs setup before running the scripts.