PLEX-CTL

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Plex control tool, but users should protect the Plex token it stores locally.

Install only if you want an agent to control Plex playback and read Plex library metadata. Treat the Plex token like a password: do not share it, commit it, or paste it into logs, and restrict access to ~/.plexctl/config.json. If you require strictly local-only behavior, review the MyPlex cloud discovery fallback before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README instructs users to obtain a Plex authentication token and store it in plaintext in ~/.plexctl/config.json, but it does not clearly warn that the token is a sensitive credential that may grant access to the user's Plex server and account context if exposed. Documentation that normalizes insecure credential handling increases the chance of accidental leakage through backups, screenshots, shell history, shared machines, or source control.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The setup flow collects a long-lived Plex access token and stores it in plaintext JSON under ~/.plexctl/config.json without warning the user about its sensitivity or applying any file-permission hardening. If another local user, malware, backup system, or accidental file disclosure accesses that file, the token could be reused to connect to the Plex server and associated account resources.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal