PlexMedia2HTML Export
v1.3.1Exports Plex Media Library (Movies & TV Shows) as static HTML pages. Features: Multilingual (EN/DE), token obfuscation (machine-bound), genre filter, detail...
⭐ 1· 132·1 current·1 all-time
by@kesuek
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description claim exporting a Plex library and the code implements Plex API calls, image downloads, HTML generation, local config storage, and machine-bound token obfuscation—these are coherent. Minor inconsistency: skill.json claims "sichere Token-Verschlüsselung" (secure encryption) while SKILL.md clearly admits the token storage is only obfuscation (XOR+Base64). This is an overstatement but not evidence of maliciousness.
Instruction Scope
Runtime instructions match the code: prompt for Plex URL/token, store config in ~/.openclaw/workspace/data/..., read /etc/machine-id (documented) to derive a machine-bound key, and call the Plex server only. The SKILL.md explicitly documents the machine-id read and the --insecure option (which disables SSL verification) — both are within the exporter's scope.
Install Mechanism
There is no install spec (instruction-only) and the bundle contains export.py as main. SKILL.md and skill.json reference a 'plex-export' wrapper/CLI command; no separate wrapper file is present in the manifest. That is a documentation/packaging mismatch you should verify (ClawHub may create the wrapper at install time). No network downloads or external packages are pulled by the skill itself.
Credentials
The skill requests no environment variables or external credentials beyond the Plex token entered interactively. It only reads local system identifiers (/etc/machine-id or hostname+username) for token obfuscation; this is documented and proportional to the stated feature (machine-binding the stored token).
Persistence & Privilege
The skill stores a config file under the user's home (~/.openclaw/workspace/data/plexmedia2html-export/config.json), sets file permissions to 600, and does not request elevated or system-wide privileges. always:false and normal autonomous invocation settings are used.
Assessment
This package appears to do what it says: export a Plex library to static HTML and locally store an obfuscated Plex token bound to the machine. Before installing, verify these points: 1) Source trust: the skill's source/homepage is unknown—review the export.py file yourself or install in an isolated environment. 2) Token security: the code uses XOR+Base64 with a machine-derived key (obfuscation, not strong encryption). If you require stronger protection, use an OS keyring or avoid storing the token. 3) Installer wrapper: SKILL.md mentions a 'plex-export' wrapper/CLI but the manifest lacks a separate wrapper file—confirm how ClawHub will expose the CLI or run export.py directly. 4) SSL: avoid using --insecure unless you trust the network and Plex server (it disables certificate verification). 5) Permissions: verify config file location and that CONFIG_FILE is chmod 600 as claimed. If any of these points are unacceptable, test the script manually, or require modifications (e.g., replace obfuscation with keyring storage) before using.Like a lobster shell, security has layers — review code before you run it.
exportvk973bqgz556rthxpsdw9j30qg583c80shtmlvk973bqgz556rthxpsdw9j30qg583c80slatestvk97b8830hvwkjh8ctjrzsrywfn83ewb1mediavk973bqgz556rthxpsdw9j30qg583c80smultilingualvk973bqgz556rthxpsdw9j30qg583c80splexvk973bqgz556rthxpsdw9j30qg583c80ssecurevk973bqgz556rthxpsdw9j30qg583c80s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.