kosmi-dj
Transforms an AI agent into a video DJ for Kosmi watch parties, automating video playback and room management.
Install this skill
Security score
The kosmi-dj skill was audited on Feb 16, 2026 and we found 10 security issues across 3 threat categories, including 6 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 13 | - A `.env` file at `${CLAUDE_PLUGIN_ROOT}/.env` containing room URL and credentials |
Template literal with variable interpolation in command context
| 18 | Load from `${CLAUDE_PLUGIN_ROOT}/.env` before any agent-browser calls: |
Template literal with variable interpolation in command context
| 33 | Execute `${CLAUDE_PLUGIN_ROOT}/skills/kosmi-dj/scripts/kosmi-connect.sh` to: |
Template literal with variable interpolation in command context
| 44 | Execute `${CLAUDE_PLUGIN_ROOT}/skills/kosmi-dj/scripts/kosmi-play.sh <VIDEO_URL>` to: |
Template literal with variable interpolation in command context
| 55 | Execute `${CLAUDE_PLUGIN_ROOT}/skills/kosmi-dj/scripts/kosmi-loop.sh` to: |
Template literal with variable interpolation in command context
| 97 | Run `${CLAUDE_PLUGIN_ROOT}/skills/kosmi-dj/scripts/kosmi-snapshot-debug.sh` to dump a human-readable snapshot of all interactive elements currently visible. Use this to discover exact button names and |
Access to .env file
| 13 | - A `.env` file at `${CLAUDE_PLUGIN_ROOT}/.env` containing room URL and credentials |
Access to .env file
| 18 | Load from `${CLAUDE_PLUGIN_ROOT}/.env` before any agent-browser calls: |
Access to .env file
| 104 | - If login fails, check credentials in `.env` or delete the session to force re-auth: |
External URL reference
| 22 | | `KOSMI_ROOM_URL` | Yes | Full URL to the Kosmi room (e.g. `https://app.kosmi.io/room/XXXXX`) | |