用于追剧/追番的技能,为AI提供搜索影视播放地址的能力,并支持在小米电视上直接播放。当用户想搜索影视、动漫、短剧、综艺等节目信息或更新进度时使用此技能。
Security Analysis
medium confidenceThe skill's instructions largely match its stated purpose, but it runs arbitrary npm packages at runtime via npx, references undeclared environment variables for controlling local TVs, and thus has a mismatched/incomplete metadata surface and a runtime code-fetch risk you should understand before installing.
The name/description (search streaming sources and cast to TVs) aligns with the runtime commands (mcporter/uvx calls and mitv/tvbox play commands). However the registry metadata does not declare the optional environment variables (MITV_LOCAL_IP, MITV_LIST_CFG, TVBOX_LOCAL_IP, TVBOX_LIST_CFG) that the SKILL.md explicitly requires for casting — this is an inconsistency the author should have declared.
SKILL.md tells the agent to run npx -y mcporter ... 'uvx mcp-vods' which will fetch and execute code from npm at runtime, and to send media URLs to local device IPs (Xiaomi / Android TV). That means the agent will: (a) download/execute code from the network each run, and (b) communicate with local network devices using addresses supplied via env vars. The instructions also reference env vars not present in the registry metadata.
There is no install spec; instead the skill relies on npx -y to fetch and execute mcporter/mcp-vods on demand. Using npx implies transient downloading and running of remote packages from the npm registry each time — this is higher risk than pure instruction-only behavior because arbitrary code will be executed at runtime.
Registry declares no required env vars, but SKILL.md expects MITV_LOCAL_IP / MITV_LIST_CFG and TVBOX_LOCAL_IP / TVBOX_LIST_CFG to enable casting. The skill accesses env vars that are not declared in the metadata (a mismatch). Those env vars control local network targets (TV IPs) — sensitive in that they enable contacting devices on the user's LAN.
always:false and no install-time persistence or modification of other skills is requested. The skill does not request permanent/system-level privileges in the metadata.
Guidance
This skill appears to do what it says (search streaming sources and cast to TVs) but there are a few risks and inconsistencies you should weigh: 1) Runtime code-fetch: the SKILL.md uses `npx -y mcporter` which will download and execute packages from npm each time the skill runs — only install/use this if you trust the mcporter/mcp-vods packages and their upstream authors. 2) Undeclared env vars: the doc requires MITV_LOCAL_IP / MITV_LIST_CFG and TVBOX_LOCAL_IP / TVBOX_LIST_CFG to perform casting, but those are not declared in the skill metadata; the author should add them so you can review and control what gets provided. 3) Local network access: casting requires contacting devices on your LAN using the provided IPs — avoid exposing sensitive devices and consider using a test network if unsure. 4) No code is packaged in the skill itself, so you should inspect the referenced GitHub repo and the npm packages (mcporter, uvx, mcp-vods) before using. If you decide to proceed: verify package provenance (npm author, GitHub repo contents), run in an isolated environment or container first, and only provide TV IPs you control.
Latest Release
v1.0.2
- 添加homepage字段,指向GitHub项目主页。 - 优化描述和排版,使功能介绍更清晰。 - 部分命令参数增加--schema,完善工具列表获取方式说明。 - 建议命令统一使用npx -y mcporter以提升兼容性。
Popular Skills
Published by @al-one on ClawHub
