Moviepilot
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: moviepilot Version: 0.1.0 ```json { "classification": "suspicious", "summary": "The `scripts/moviepilot_api.sh` file contains multiple shell injection vulnerabilities. Parameters such as `subscribe_id` and `mediaid` (e.g., in `sub_delete`, `sub_delete_media`, `sub_detail`) are directly interpolated into `curl` command paths without proper shell escaping, allowing an attacker to inject arbitrary commands if the AI agent passes unsanitized user input. Additionally, the `login` action directly interpolates username and password into a `x-www-form-urlencoded` POST body without URL encoding, which could lead to injection of form data or HTTP headers. While some query parameters are correctly URL-encoded using `python3 -c "import urllib.parse; print(urllib.parse.quote(...))"`, this protection is not applied consistently to all user-controlled inputs, particularly path parameters and form body data. There is no evidence of intentional malicious behavior like data exfiltration to external servers or backdoor installation; the script's purpose is legitimate interaction with a user-defined MoviePilot API endpoint." } ```
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A specially crafted movie title, search keyword, or filter could make the user's machine run unintended code with the agent's local permissions.
The user-controlled title is interpolated directly into Python code passed to python3 -c. A crafted value containing quotes and Python syntax could break out of the string and execute local Python commands. Similar patterns appear for type_name, download name, and search_resource keyword.
api_get "/api/v1/media/search?title=$(python3 -c "import urllib.parse; print(urllib.parse.quote('$title'))")&page=${page}"Replace these python3 -c interpolations with safe argument passing, such as python3 reading sys.argv[1], or use curl --get --data-urlencode. Do not run the skill with untrusted arbitrary search strings until patched.
Mistaken media selections or deletion commands could change the user's MoviePilot subscriptions and may affect automatic downloads.
The skill exposes actions that add, delete, update, and refresh MoviePilot subscriptions. This is aligned with the stated purpose, but these are state-changing operations.
scripts/moviepilot_api.sh sub_add ...; scripts/moviepilot_api.sh sub_delete <subscribe_id>; sub_refresh | Refresh all subs
Confirm the selected media item before subscribing and require clear user intent before deleting, updating, or refreshing subscriptions.
Anyone or anything using the configured token can view and manage MoviePilot subscriptions and download-related information.
The skill needs MoviePilot server credentials to perform its intended API actions. This is expected for the integration, but it grants account-level authority over the configured MoviePilot instance.
Required environment variables ... MOVIEPILOT_URL ... MOVIEPILOT_API_KEY ... Or MOVIEPILOT_TOKEN ... If credentials are not set, ask the user to provide them.
Use the least-privileged MoviePilot API key or token available, avoid pasting passwords into chat when possible, and verify the MOVIEPILOT_URL before providing credentials.
Installers or users may not be warned about the needed local tools and credentials before the agent tries to run the skill.
The helper script depends on MOVIEPILOT_URL, curl, and python3, while the registry metadata declares no required environment variables or binaries. The script is visible, but the runtime contract is under-declared.
BASE_URL="${MOVIEPILOT_URL:?Set MOVIEPILOT_URL environment variable}" ... curl -s ... python3 -cDeclare MOVIEPILOT_URL, MOVIEPILOT_API_KEY or MOVIEPILOT_TOKEN, curl, and python3 in the skill metadata or setup instructions.