Is akivasolutions/clawtv safe?

https://github.com/openclaw/skills/tree/main/skills/akivasolutions/clawtv

77
CAUTION

ClawTV is a functionally legitimate Apple TV remote control skill with no malicious code patterns, hidden prompt injections, or evidence of credential harvesting during installation. The principal security concerns are architectural rather than adversarial: the 'do' command transmits Apple TV screen captures to Anthropic's API (disclosed in documentation), credentials are stored unencrypted in a plaintext config file, and the skill requires elevated macOS trust through AppleScript/osascript execution to perform its stated function. Users who understand these tradeoffs and use the skill for Apple TV navigation will encounter a well-written, documented tool; users unaware of the ongoing screenshot transmission should review the Privacy section before installation.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 68/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 68/100 · 5%

Findings (7)

MEDIUM Apple TV Screen Content Continuously Transmitted to Anthropic API -22

The 'do' (AI agent mode) command takes a screenshot of the Apple TV after every navigation step and encodes it in a Claude API request. Screenshots may contain sensitive on-screen content: media titles and thumbnails, streaming service account UIs, search queries typed on the TV, and any app interface. The skill.md Privacy section discloses this behavior, but users may not realize every step of a 20-step navigation task sends a screenshot.

MEDIUM Apple TV and Plex Credentials Stored Unencrypted -13

Pairing credentials for Apple TV (Companion protocol tokens allowing full remote control) and optional Plex authentication tokens are stored in plaintext JSON at ~/.clawtv/config.json. Any process running as the user, or any other installed skill with filesystem access, can read these credentials. The Plex token in particular grants full library access and client control on the Plex server.

MEDIUM Broad macOS Automation via osascript (AppleScript) -20

The skill executes AppleScript through osascript subprocess calls to open and control QuickTime Player and Xcode. AppleScript can automate virtually any macOS application. While the specific scripts used are appropriate for the Apple TV screenshot use case, this capability represents a significant trust boundary — the skill can send UI events to any open application if the scripts were modified or injected.

LOW AppleScript Injection via Unescaped Device Name Interpolation -12

The Apple TV device name read from ~/.clawtv/config.json is interpolated directly into a multi-line AppleScript string using an f-string without any escaping or sanitization. A device name containing AppleScript special characters (quotes, end-of-statement markers) could alter the AppleScript logic. This risk is self-contained to the user's own config file but would be exploitable if the config file is tampered with by another process.

LOW Hardcoded Installation Path Assumption in skill.md -15

The skill.md Quick Start section instructs the agent to execute commands at ~/Developer/clawtv/clawtv.py. This path is hardcoded and not derived from where ClawHub or the user actually installed the skill. If installed elsewhere, all agent-generated commands will fail with file-not-found errors, potentially causing the agent to attempt alternative approaches or misinterpret the failure.

LOW Autonomous Multi-Step API Loop Without Per-Step User Confirmation -15

The 'do' command executes an autonomous loop of up to 20 steps, each making a Claude API call with a screenshot. The agent escalates from Haiku 4.5 to Sonnet 4.5 when stuck, potentially increasing per-call cost. No confirmation is requested between steps. A confused agent could exhaust all 20 steps before reporting failure, incurring up to $0.10-0.20 per task.

INFO Developer Personal lock.json Artifact Bundled in Skill Package 0

The .clawhub/lock.json file in the skill package contains the skill developer's personal ClawHub skill dependency record (academic-research-hub v0.1.0 installed at timestamp 1770957475341). This file was inadvertently included when publishing the skill from the developer's own environment. It poses no security risk but indicates incomplete packaging hygiene — the developer's local skill installation state was shipped with the skill.