Sony Tv

v1.0.0

Control Sony Bravia TV via IP Control protocol. Send IRCC remote commands, open URLs in TV browser, kill apps, and run diagnostics. Use when controlling a So...

⭐ 0· 83·0 current·0 all-time

by@yardfarmer

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for yardfarmer/sony-tv.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Sony Tv" (yardfarmer/sony-tv) from ClawHub.
Skill page: https://clawhub.ai/yardfarmer/sony-tv
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install sony-tv

ClawHub CLI

Package manager switcher

npx clawhub@latest install sony-tv

Security Scan

Capability signals

Crypto

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

Name/description align with what the code and SKILL.md do: they send IRCC SOAP and JSON-RPC calls to a Sony Bravia on the local network. However, the SKILL.md says "No server required" while the repository includes a web UI and a Node/express test server (public/* and test/src/server.js) and a diagnostic page intended to be served from 192.168.50.170:3000. That discrepancy (client-only claim vs. included server-side code) is unexplained.

Instruction Scope

Runtime instructions include direct curl examples to a local TV IP and a hardcoded PSK (192.168.50.120 / PSK: 19890801). The doc also instructs opening a diagnostic URL on the TV that points to a local web server (http://192.168.50.170:3000/diag.html). That causes the TV to fetch content from the developer's local host and implies running a server to serve diag.html. The SKILL.md claiming "No server required" contradicts the diagnostic flow. The presence of hardcoded credentials and local IPs in the documentation and helper scripts (tv.sh) is a data-security risk and an operational inconsistency.

ℹ

Install Mechanism

There is no install spec (instruction-only), so nothing is automatically written to disk by the platform. But the repository contains a Node test server (test/package.json, package-lock.json) and client code that expect express; running those locally will install packages from npm. No remote binary downloads or obfuscated installers were present in the skill package itself.

Credentials

The skill declares no required env vars or credentials, yet the SKILL.md and helper scripts embed a Pre-Shared Key (PSK) and explicit local IP addresses. Hardcoded secrets in docs/scripts are inappropriate: they can be outdated, accidental real credentials, or leak a secret if it was real. The skill does not request unrelated credentials, but embedding the PSK/IP in plaintext is disproportionate and risky.

✓

Persistence & Privilege

The skill does not request always:true, does not modify other skills, and is user-invocable only. The skill can be invoked autonomously by models by default (disable-model-invocation=false), which is platform default; that alone is not flagged here.

What to consider before installing

What to consider before installing or running this skill: - The skill does what it says (controls a Sony Bravia over the local network), but the package includes both client-side code (web UI) and a Node/express server. The SKILL.md says "No server required," yet the diagnostic flow expects a local server (http://192.168.50.170:3000) — verify whether you need to run that server and inspect test/src/server.js before running it. - The SKILL.md and helper script (tv.sh) include a hardcoded TV IP and PSK (19890801). Treat those values as sensitive: if these are your real credentials, replace them with environment variables or prompt-based input. If they are sample values, remove them from deployed artifacts to avoid accidental reuse or leaking real credentials. - Opening the diagnostic page on the TV causes the TV to fetch content from the specified host. If you run the included server, be aware it will expose a port on your network; review server code and run it in a safe environment (isolated LAN) if you decide to use it. - If you will run any included server code, inspect the server (test/src/server.js) and other Node files for logging, network callbacks, or code that might collect or forward diagnostic data. The provided files look legitimate (IRCC and JSON-RPC calls to the TV), but you should confirm there is no unexpected remote exfiltration before running. - Recommended actions: (1) Inspect test/src/server.js and tv.sh; (2) remove or replace hardcoded PSK/IP with configuration via env vars or prompts; (3) only run the server on a trusted/isolated network; (4) if you don't need the diagnostic page, you can use the curl examples or tv.sh helper directly against your TV. If you want, I can list the exact lines/files that contain the hardcoded PSK/IP and point out where the server is used so you can inspect them further.

docs/diag-results.json:62

Install source points to URL shortener or raw IP.

About static analysis

These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk977n3gmqwaxejzwp480cf9xyh84qhpa

83downloads

0stars

1versions

Updated 2w ago

v1.0.0

MIT-0

Sony TV Control

Control a Sony Bravia TV over the local network using IP Control (IRCC-IP + REST API). No server required — all commands are direct HTTP calls to the TV.

Configuration

TV IP: 192.168.50.120
PSK (Pre-Shared Key): 19890801
TV Model: KD-55X9500G (BRAVIA 4K)
Browser: Chrome 77.0.3865.116 (WebAppRuntime 2.1.2+10)

Quick Reference

All commands go directly to http://192.168.50.120. No intermediate server needed.

IRCC Commands (Remote Control Buttons)

IRCC commands use SOAP over POST to /sony/ircc. Common IRCC codes:

Command	IRCC Code
Power On	`AAAAAQAAAAEAAAAuAw==`
Power Off	`AAAAAQAAAAEAAAAvAw==`
Toggle Power	`AAAAAQAAAAEAAAAVAw==`
Volume Up	`AAAAAQAAAAEAAAASAw==`
Volume Down	`AAAAAQAAAAEAAAATAw==`
Mute	`AAAAAQAAAAEAAAAUAw==`
Channel Up	`AAAAAQAAAAEAAAAQAw==`
Channel Down	`AAAAAQAAAAEAAAARAw==`
D-Pad Up	`AAAAAQAAAAEAAAB0Aw==`
D-Pad Down	`AAAAAQAAAAEAAAB1Aw==`
D-Pad Left	`AAAAAQAAAAEAAAA0Aw==`
D-Pad Right	`AAAAAQAAAAEAAAAzAw==`
Confirm/OK	`AAAAAQAAAAEAAABlAw==`
Home	`AAAAAQAAAAEAAABgAw==`
Exit	`AAAAAQAAAAEAAABjAw==`
Options	`AAAAAgAAAJcAAAA2Aw==`
Back	`AAAAAgAAAJcAAAAjAw==`
Play	`AAAAAgAAAJcAAAAaAw==`
Pause	`AAAAAgAAAJcAAAAZAw==`
Stop	`AAAAAgAAAJcAAAAYAw==`
Rewind	`AAAAAgAAAJcAAAAbAw==`
Forward	`AAAAAgAAAJcAAAAcAw==`
HDMI 1	`AAAAAgAAABoAAABaAw==`
HDMI 2	`AAAAAgAAABoAAABbAw==`
HDMI 3	`AAAAAgAAABoAAABcAw==`
HDMI 4	`AAAAAgAAABoAAABdAw==`

Send any IRCC command:

TV="192.168.50.120"
PSK="19890801"
CODE="AAAAAQAAAAEAAAASAw=="  # Volume Up

curl -s -X POST "http://$TV/sony/ircc" \
  -H "Content-Type: text/xml; charset=utf-8" \
  -H 'SOAPACTION: "urn:schemas-sony-com:service:IRCC:1#X_SendIRCC"' \
  -H "X-Auth-PSK: $PSK" \
  -d "<?xml version=\"1.0\"?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:X_SendIRCC xmlns:u=\"urn:schemas-sony-com:service:IRCC:1\"><IRCCCode>$CODE</IRCCCode></u:X_SendIRCC></s:Body></s:Envelope>"

Power Control

# Power On
curl -s -X POST "http://192.168.50.120/sony/ircc" \
  -H "Content-Type: text/xml; charset=utf-8" \
  -H 'SOAPACTION: "urn:schemas-sony-com:service:IRCC:1#X_SendIRCC"' \
  -H "X-Auth-PSK: 19890801" \
  -d '<?xml version="1.0"?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:X_SendIRCC xmlns:u="urn:schemas-sony-com:service:IRCC:1"><IRCCCode>AAAAAQAAAAEAAAAuAw==</IRCCCode></u:X_SendIRCC></s:Body></s:Envelope>'

# Power Off
curl -s -X POST "http://192.168.50.120/sony/ircc" \
  -H "Content-Type: text/xml; charset=utf-8" \
  -H 'SOAPACTION: "urn:schemas-sony-com:service:IRCC:1#X_SendIRCC"' \
  -H "X-Auth-PSK: 19890801" \
  -d '<?xml version="1.0"?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:X_SendIRCC xmlns:u="urn:schemas-sony-com:service:IRCC:1"><IRCCCode>AAAAAQAAAAEAAAAvAw==</IRCCCode></u:X_SendIRCC></s:Body></s:Envelope>'

Open URL in TV Browser

Launches a URL in the TV's built-in Chrome browser via localapp://webappruntime:

curl -s -X POST "http://192.168.50.120/sony/appControl" \
  -H "Content-Type: application/json" \
  -H "X-Auth-PSK: 19890801" \
  -d '{"method":"setActiveApp","params":[{"uri":"localapp://webappruntime?url=http://192.168.50.170:3000/diag.html","data":""}],"id":1,"version":"1.0"}'

Kill All Apps (Close Browser)

Terminates all running apps on the TV (closes browser, stops web apps):

curl -s -X POST "http://192.168.50.120/sony/appControl" \
  -H "Content-Type: application/json" \
  -H "X-Auth-PSK: 19890801" \
  -d '{"method":"terminateApps","params":[],"id":1,"version":"1.0"}'

Get Status

# Get volume
curl -s -X POST "http://192.168.50.120/sony/audio" \
  -H "Content-Type: application/json" \
  -H "X-Auth-PSK: 19890801" \
  -d '{"method":"getVolumeInformation","params":[{"target":"speaker"}],"id":1,"version":"1.0"}'

# Get power status
curl -s -X POST "http://192.168.50.120/sony/system" \
  -H "Content-Type: application/json" \
  -H "X-Auth-PSK: 19890801" \
  -d '{"method":"getPowerStatus","params":[],"id":1,"version":"1.0"}'

Helper Script

For convenience, create a shell wrapper:

#!/bin/bash
# tv.sh - Sony TV control helper
TV="192.168.50.120"
PSK="19890801"

ircc() {
  curl -s -X POST "http://$TV/sony/ircc" \
    -H "Content-Type: text/xml; charset=utf-8" \
    -H 'SOAPACTION: "urn:schemas-sony-com:service:IRCC:1#X_SendIRCC"' \
    -H "X-Auth-PSK: $PSK" \
    -d "<?xml version=\"1.0\"?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:X_SendIRCC xmlns:u=\"urn:schemas-sony-com:service:IRCC:1\"><IRCCCode>$1</IRCCCode></u:X_SendIRCC></s:Body></s:Envelope>"
}

case "$1" in
  power-on)    ircc "AAAAAQAAAAEAAAAuAw==" ;;
  power-off)   ircc "AAAAAQAAAAEAAAAvAw==" ;;
  vol-up)      ircc "AAAAAQAAAAEAAAASAw==" ;;
  vol-down)    ircc "AAAAAQAAAAEAAAATAw==" ;;
  mute)        ircc "AAAAAQAAAAEAAAAUAw==" ;;
  up)          ircc "AAAAAQAAAAEAAAB0Aw==" ;;
  down)        ircc "AAAAAQAAAAEAAAB1Aw==" ;;
  left)        ircc "AAAAAQAAAAEAAAA0Aw==" ;;
  right)       ircc "AAAAAQAAAAEAAAAzAw==" ;;
  confirm)     ircc "AAAAAQAAAAEAAABlAw==" ;;
  home)        ircc "AAAAAQAAAAEAAABgAw==" ;;
  back)        ircc "AAAAAgAAAJcAAAAjAw==" ;;
  hdmi1)       ircc "AAAAAgAAABoAAABaAw==" ;;
  hdmi2)       ircc "AAAAAgAAABoAAABbAw==" ;;
  open-url)    curl -s -X POST "http://$TV/sony/appControl" \
                 -H "Content-Type: application/json" \
                 -H "X-Auth-PSK: $PSK" \
                 -d "{\"method\":\"setActiveApp\",\"params\":[{\"uri\":\"localapp://webappruntime?url=$2\",\"data\":\"\"}],\"id\":1,\"version\":\"1.0\"}" ;;
  kill)        curl -s -X POST "http://$TV/sony/appControl" \
                 -H "Content-Type: application/json" \
                 -H "X-Auth-PSK: $PSK" \
                 -d '{"method":"terminateApps","params":[],"id":1,"version":"1.0"}' ;;
  *)           echo "Usage: tv.sh {power-on|power-off|vol-up|vol-down|mute|up|down|left|right|confirm|home|back|hdmi1|hdmi2|open-url <url>|kill}" ;;
esac

Local Test Server (Optional)

The test/ directory contains an optional Node.js Express server for:

Hosting the diagnostic page (diag.html) locally
Collecting diagnostic results from the TV browser
Providing a web-based remote control UI

This is not required for controlling the TV. It is only useful for running diagnostics and the web UI.

cd test && npm install && npm start
# Server runs on http://0.0.0.0:3000

Diagnostic Page

Access http://<SERVER_IP>:3000/diag.html on the TV's browser (via Open URL) to run a 57-test capability scan. Results are automatically POSTed back to /api/diag-results.

See docs/diag-report.md for the full analysis.

TV Browser Capabilities (KD-55X9500G)

Browser: Chrome 77.0.3865.116 (WebAppRuntime 2.1.2+10)
Resolution: 1920x1080
GPU: Mali-G71
localStorage: ~1.6 MB
Sony APIs: All available (systemevents, picturemode, DirectoryReader, decimated-video, multicast-video, 4k-photo)
Not supported: Service Worker

Sony Proprietary APIs

Available in the TV browser via the sony namespace:

// System events (power on/off, input change, etc.)
sony.tv.systemevents.addListener('event', callback);
sony.tv.systemevents.removeListener('event', callback);

// Picture mode
sony.tv.picturemode.getPictureMode();
sony.tv.picturemode.setPictureMode(mode);

// USB storage reading
sony.tv.DirectoryReader // Read USB storage

// HDMI embedded video
var obj = document.createElement('object');
obj.setAttribute('type', 'application/x-decimated-video');
// Methods: open, close, setWideMode

// Multicast video
// Methods: show, close

// 4K photo rendering
// Methods: open, show, preload

Remote Key Codes

Detectable via keydown events in the TV browser:

Key	Code
VK_RED	403
VK_GREEN	404
VK_YELLOW	405
VK_BLUE	406
VK_PLAY	415
VK_PAUSE	463
VK_STOP	413

Comments

Loading comments...