← 返回 Skills 市场
Stremio CLI
作者
BEARLY_HODLING
· GitHub ↗
· v1.1.0
· MIT-0
221
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install stremio-cli
功能描述
Stremio automation via browser + Torrentio on Mac Mini. Searches for shows/movies, selects highest-seeded streams, and plays them. Use when user wants to wat...
安全使用建议
Do not install or run this skill until the author answers these questions: (1) Why is there a hardcoded streamingServer URL (the stremio.rocks host with an IP-like subdomain) in scripts/stremio_cast.py? Who controls that host and why would your streams be proxied through it? (2) The SKILL.md says the Python script is 'legacy' and 'not used' — please remove the file or state explicitly whether the agent may execute it. (3) Explain how Stremio credentials in Keychain are used; confirm the skill will not programmatically read or transmit Keychain entries without explicit user consent. (4) Confirm whether the skill will execute local binaries (e.g., 'catt') and whether those binaries are required/trusted. If you must test, run in an isolated environment (no sensitive Keychain entries, limited network access) and audit network traffic to ensure streams aren't routed through unknown third-party servers. If these questions are answered satisfactorily (remove or sanitize the hardcoded host, explicit Keychain behavior, and a clear statement that the legacy script will not run), the incoherences would be resolved.
功能分析
Type: OpenClaw Skill
Name: stremio-cli
Version: 1.1.0
The skill contains a potential shell injection vulnerability in `scripts/stremio_cast.py` where the `device` argument (sourced from command-line input) is passed unsanitized to `subprocess.Popen`. Additionally, the bundle includes hardcoded personal information (email address) and specific local network IP addresses in `SKILL.md` and the Python script, which indicates a lack of sanitization for a shared component.
能力评估
Purpose & Capability
The skill claims to rely on the built-in browser tool and needs no credentials, but the bundle includes a Python script that embeds a hardcoded streamingServer URL (a stremio.rocks host with an IP-like subdomain) and assumes 'catt' is installed. That script's behavior (intercepting stream URLs and casting them) is related to the stated purpose, but the presence of a hardcoded third-party streaming server and a legacy script that the SKILL.md says is 'not used' is an incoherence that needs justification.
Instruction Scope
SKILL.md instructs the agent to use the browser tool only and does not direct the agent to read system secrets; however it explicitly states 'Credentials for Stremio account are in Keychain' (with a specific email), which implies use of system credential storage. The included script would capture stream URLs from web requests and hand them to a local casting tool — behavior not described in the SKILL.md. The mismatch between the instructions and the included script expands the effective scope and is potentially risky.
Install Mechanism
There is no install spec (instruction-only), which is low risk, but a code file is present. Since no install runs automatically, nothing will be written during install; however the included script assumes Playwright and 'catt' exist in the runtime environment. The absence of an install spec plus included runnable code is an odd combination that should be clarified.
Credentials
The skill declares no required environment variables, but SKILL.md calls out Stremio credentials stored in macOS Keychain (and even includes a specific email). Requiring access to system Keychain data is sensitive. The package does not declare or explain how credentials are retrieved; the included script doesn't access Keychain but would operate under the environment's existing session. This gap between claimed credential location and declared requirements is disproportionate and unclear.
Persistence & Privilege
The skill does not request always:true and does not declare changes to other skills or persistent system-wide configuration. Autonomous invocation is allowed by default, which is normal. There is no install-time persistence requested by the manifest.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install stremio-cli - 安装完成后,直接呼叫该 Skill 的名称或使用
/stremio-cli触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
Clean English version using built-in browser tool + Torrentio. Removed Portuguese casting code and Chromecast dependency. Matches existing memory for Stremio automation on Mac Mini.
v1.0.1
Security fix: removed hardcoded Keychain email. Now uses STREMIO_ACCOUNT env var or defaults safely.
v1.0.0
Initial release - natural language Stremio automation with Torrentio + Playwright
元数据
常见问题
Stremio CLI 是什么?
Stremio automation via browser + Torrentio on Mac Mini. Searches for shows/movies, selects highest-seeded streams, and plays them. Use when user wants to wat... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 221 次。
如何安装 Stremio CLI?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install stremio-cli」即可一键安装,无需额外配置。
Stremio CLI 是免费的吗?
是的,Stremio CLI 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Stremio CLI 支持哪些平台?
Stremio CLI 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Stremio CLI?
由 BEARLY_HODLING(@bearly-hodling)开发并维护,当前版本 v1.1.0。
推荐 Skills