Is aaronn/apple-media safe?

https://github.com/openclaw/skills/tree/main/skills/aaronn/apple-media

92
SAFE

The aaronn/apple-media skill is a clean documentation-only skill providing CLI usage guidance for the pyatv atvremote tool to control Apple TV, HomePod, and AirPlay devices. No prompt injection, hidden instructions, executable code, git hooks, or malicious network behavior was detected; the install was confined to a legitimate git sparse-checkout of the skills monorepo and no canary files were modified. The only meaningful risks are inherent to the tool's functionality (stream_file and play_url could be abused via a separate prompt injection vector, and the install requires trusting PyPI's pyatv package), not to any malicious intent by the skill author.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (6)

LOW Install executes third-party PyPI package (pyatv) -10

The install command pipx install pyatv --python python3.13 pulls and executes code from PyPI. pyatv is a legitimate, well-maintained open-source project (github.com/postlund/pyatv) with a strong track record. However, any PyPI install introduces a supply chain dependency.

LOW stream_file can stream local files to network devices -5

The stream_file command is a documented pyatv feature that streams a local file path to an Apple device. Under normal use this is benign, but combined with a separate prompt injection attack vector, an agent could be directed to stream sensitive local files to an attacker-controlled AirPlay receiver.

LOW play_url sends arbitrary URL to device for fetching -5

Instructs the Apple device to fetch a caller-supplied URL. Could be used for SSRF from the device's network perspective, or to reveal device/network identity to a remote server.

LOW Network scanning reveals LAN topology -10

atvremote scan performs mDNS enumeration of the local network, returning names, addresses, protocols, and pairing status of all discoverable Apple devices. This is inherent to the tool's purpose but does constitute a network reconnaissance capability.

INFO Clean install: only expected GitHub traffic 0

The entire install process generated only GitHub HTTPS traffic (140.82.121.3:443). No unexpected outbound connections to non-GitHub hosts. No processes spawned outside the install flow. Filesystem changes confined to /home/oc-exec/skill-under-test/.

INFO Canary files accessed only by audit harness, not modified 0

Honeypot credential files were read at the start and end of the audit by the oathe harness (CLOSE_NOWRITE in all cases). No writes, no exfiltration to external hosts. All canary hashes verified intact.