Skill Trust Decision

stremio-cli

Name: stremio-cli Trust Review Report
Item: stremio-cli
Rating: 65
Author: ClawSafe

stremio_cast.py 脚本与文档描述不一致，声称'不使用'但实际是唯一脚本；存在未声明的 subprocess 执行和硬编码第三方服务器地址。

Install decision first Source: Manual upload Scanned: Apr 5, 2026

Files 3

Artifacts 2

Violations 1

Findings 3

Most direct threat evidence

Why this conclusion was reached

1/4 dimensions flagged

Block

Declared vs actual capability

1 undeclared or violating capabilities were inferred.

Review

Hidden execution and egress

2 lower-risk artifacts were extracted and still need context.

Pass

Attack chain and severe findings

There is no explicit malicious chain in the report.

Review

Dependencies and supply chain hygiene

1 dependency or supply-chain issues need attention.

What drove the risk score up

文档-行为不一致 +15

SKILL.md声称stremio_cast.py不使用，但它是唯一脚本

未声明的subprocess执行 +10

代码调用subprocess.Popen执行catt命令，文档未声明shell权限

硬编码第三方服务器 +10

访问192-168-15-162.519b6502d940.stremio.rocks远程地址

Most important evidence

Medium Doc Mismatch

文档与代码不一致

SKILL.md声称'scripts/stremio_cast.py是葡萄牙语遗留代码，不使用'，但该文件是唯一存在的脚本且被设计为实际执行入口。

SKILL.md:28

修正文档，明确说明实际使用的脚本和方式

Low Priv Escalation

未声明的shell执行

代码使用subprocess.Popen执行catt命令进行设备投屏，但文档仅声明使用browser tool，未提及shell执行权限。

scripts/stremio_cast.py:62

在SKILL.md中声明需要执行外部命令的权限

Low Supply Chain

依赖未版本锁定

requirements.txt未指定playwright版本，可能引入不一致行为或恶意修改。

requirements.txt:1

锁定版本如 playwright==1.40.0

Declared capability vs actual capability

Browser Pass

Declared WRITE

→

Inferred WRITE

scripts/stremio_cast.py:24

Shell Block

Declared NONE

→

Inferred WRITE

scripts/stremio_cast.py:62 subprocess.Popen调用

Network Pass

Declared READ

→

Inferred READ

访问stremio服务器

Suspicious artifacts and egress

Medium External URL

https://app.strem.io/shell-v4.4/?streamingServer=https%3A%2F%2F192-168-15-162.519b6502d940.stremio.rocks%3A12470#/

scripts/stremio_cast.py:10

Info Email

[email protected]

SKILL.md:12

Dependencies and supply chain

Package	Version	Source	Known vuln	Notes
playwright	`*`	pip	No	无版本锁定

File composition

3 files · 135 lines

Python 1 files · 88 linesMarkdown 1 files · 42 linesJSON 1 files · 5 lines

Files of concern · 2

scripts/stremio_cast.py Python · 88 lines

未声明的shell执行 · https://app.strem.io/shell-v4.4/?streamingServer=https%3A%2F%2F192-168-15-162.519b6502d940.stremio.rocks%3A12470#/

SKILL.md Markdown · 42 lines

文档与代码不一致 · [email protected]

Other files · _meta.json

Security positives

代码结构清晰，错误处理完善

无凭证外泄行为

无持久化机制

无混淆或隐藏代码