Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
emby-manager
v1.0.0管理运行在 Linux NAS 上的 Emby 媒体服务器。当用户提到 Emby、媒体库、NAS 娱乐管理、刮削元数据、查看播放记录、管理用户权限、检查服务器状态等任何与 Emby 相关的操作时,必须使用此 Skill。即使用户只是问"帮我看看 Emby 状态"、"媒体库扫描一下"、"谁在看片"这类口语化表达,也...
⭐ 0· 63·0 current·0 all-time
by六面体@gmd170629
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill name/description (Emby management) matches the instructions and reference docs: API endpoints, library operations, user/permission management, sessions, logs, and troubleshooting. It does not request unrelated credentials, binaries, or config paths.
Instruction Scope
Instructions expect the agent to ask the user for the Emby server address and API key and then perform API calls (GET/POST/DELETE) and present structured results. The docs also include Linux system commands (systemctl, sudo, ufw, chown, journalctl) as optional troubleshooting steps when the user can run them or has SSH access. The skill instructs the agent to 'remember' the API key for the duration of the conversation — this is reasonable for session use but increases sensitivity of what the agent holds in memory.
Install Mechanism
No install spec and no code files that would be written to disk; instruction-only skills have minimal installation risk.
Credentials
The skill requests only the Emby server address and API key at runtime (declared in SKILL.md). No additional environment variables, system credentials, or unrelated tokens are requested. The API key is reasonable for the described operations but is a high-privilege secret for the Emby instance.
Persistence & Privilege
always is false and the skill is user-invocable. There is no instruction to modify other skills or global agent configuration. The only persistence implied is conversational memory of the provided server address and API key during the session.
Assessment
This skill appears to do what it says: manage an Emby server via its API. Before providing an API key, consider: 1) only supply it to a trusted agent instance and over an encrypted connection (use https and local network access where possible); 2) prefer creating a scoped or temporary API key if Emby supports it and avoid sharing root/SSH credentials; 3) be aware that API keys grant control over media, users, and logs — treat them as sensitive and rotate them if exposed; 4) confirm destructive actions (deleting items, modifying user policies) before executing and never run system-level sudo commands unless you understand them; 5) avoid pasting full logs that might contain other secrets or personal data. If you want additional certainty, request the skill author/source or run the interactions in a sandboxed/test Emby instance first.Like a lobster shell, security has layers — review code before you run it.
latestvk974v1f6s0mjkc1hp77mamzjhs83qfjw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.