Is imaloney/roku-control safe?

https://github.com/openclaw/skills/tree/main/skills/imaloney/roku-control

98
SAFE

This Roku control skill appears to be a legitimate implementation of the Roku External Control Protocol (ECP) for local network device control. The code is clean, well-documented, and follows expected patterns for Roku integration with no signs of malicious behavior or data exfiltration.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 100/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (2)

LOW Contains executable Python script -5

The skill includes a Python script (roku_control.py) that will be executed when the skill is used. While the code appears legitimate and implements standard Roku ECP protocol interactions, any executable code carries inherent risk.

LOW Network device control capabilities -10

The skill can discover and control any Roku device on the local network without authentication, as designed by the ECP protocol. While this is intended functionality, it could potentially be misused to control devices the user doesn't own if they're on the same network.