PLEX-CTL
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears purpose-aligned for Plex control, but it requires a Plex token, can control playback devices, may use Plex cloud discovery, and installs an unpinned Python dependency.
Install this only if you want your agent to control Plex. Run setup yourself, protect the saved Plex token, verify the default client, understand that cloud discovery may be used as a fallback, and consider pinning the plexapi dependency version.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or anything with access to the saved config token may be able to access or control the user's Plex server within the token's permissions.
The tool stores and reuses a Plex token to authenticate to the user's Plex server. This is necessary for the stated Plex integration, but it is a sensitive credential.
CONFIG_PATH = os.path.expanduser("~/.plexctl/config.json") ... token = cfg.get("plex_token") ... return PlexServer(url, token)Run setup only on a trusted machine, protect ~/.plexctl/config.json, and revoke or rotate the Plex token if the machine or config file may be exposed.
The agent can start, stop, or change playback on the configured Plex client when invoked for Plex tasks.
The skill exposes playback-control commands that change the state of Plex clients. This is the skill's intended purpose, but it is still user-impacting device control.
plexctl pause ... plexctl resume ... plexctl stop ... plexctl next ... plexctl prev
Confirm the configured default client and only allow this skill to be used for explicit Plex playback or browsing requests.
A future dependency version change could affect behavior or security of the CLI.
The dependency is not pinned to an exact version, so future installs may resolve to newer plexapi releases. Installing plexapi is purpose-aligned, but users should be aware of dependency provenance.
plexapi>=4.15.0
Install dependencies from trusted package sources and consider pinning/reviewing the exact plexapi version before use.
Client discovery may contact Plex cloud services using the user's Plex account context when local discovery does not find the client.
If local client lookup fails, the code queries MyPlex account resources for cloud discovery. This fallback is disclosed and purpose-aligned, but it means operation is not strictly local in all cases.
account = plex.myPlexAccount() for res in account.resources():
If strict local-only operation is required, review or disable the MyPlex fallback before using the skill.