Jellyseerr

Security checks across malware telemetry and agentic risk

Overview

The skill does what it says for Jellyseerr, but its optional notification setup creates a persistent unauthenticated network listener and background jobs that deserve manual review before installation.

Install the basic search/request parts only if you are comfortable storing a Jellyseerr API key in ~/.config/jellyseerr/config.json. Treat the webhook setup as a Review item: run the sudo/systemd installer only if you want a long-running service, restrict port 8384 to Jellyseerr or localhost, avoid broad firewall exposure, and consider adding a shared secret or reverse proxy authentication before enabling it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (6)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation recommends running a service installation script with sudo but does not explain what system changes will occur, such as installing a persistent listener, writing service files, or opening a local port. This is dangerous because users may grant elevated privileges without understanding the scope or persistence of the modification.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The polling setup modifies the user's crontab to create a recurring scheduled task every minute, but the documentation does not clearly warn that this is a persistent background change. Persistent scheduled execution can surprise users, consume resources, and continue running scripts long after the user intended.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The guide instructs users to expose a webhook endpoint over HTTP on a reachable IP and later suggests opening the firewall port, but it does not warn about network exposure, lack of authentication, or possible spoofed/unsolicited requests. In the context of a self-hosted media tool, this creates a real risk of exposing notification data and an internal service to other hosts on the network or beyond if misconfigured.

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The API reference documents use of an authenticated X-Api-Key header and includes a state-changing media request endpoint, but it does not warn that these operations can trigger real server-side actions or require careful authorization handling. In an agent skill context, this omission can make it easier for downstream tool builders or agents to treat the endpoint as routine read-only API usage, increasing the risk of unauthorized or unintended media requests if user intent and permissions are not explicitly verified.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script prompts for a Jellyseerr API key and persists it in plaintext to a local JSON config file. Although file permissions are tightened with chmod 600, users are not explicitly warned that a long-lived credential will be stored on disk, which increases the chance of accidental exposure through backups, dotfile syncing, or shared account environments.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The handler logs the entire webhook JSON payload at INFO level, which can expose request metadata and any user/content details included by Jellyseerr to logs that may be readable by other local users, log collectors, or support systems. In this skill context, webhook payloads may include media request details and identifiers, so indiscriminate logging increases privacy and data-handling risk even if it is not directly enabling code execution.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal