Plex
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only Plex skill is coherent, but it requires a Plex token that lets the agent query and potentially control your media server.
Before installing, make sure you are comfortable giving the agent a Plex token for the configured server. The skill appears simple and purpose-aligned, but that token can expose your media library, viewing activity, active sessions, and available clients. Keep the token private and require confirmation before any playback or control action.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill can see Plex library information, recent/on-deck items, active sessions, and available clients for the configured server.
The skill requires and uses a Plex authentication token to access the Plex API. This is expected for the stated purpose, but it gives the agent access to private Plex server data and potentially Plex control actions.
`PLEX_TOKEN`: Your Plex auth token ... curl -s "$PLEX_SERVER/library/sections?X-Plex-Token=$PLEX_TOKEN"
Only provide a Plex token for a server you want the agent to access, avoid sharing the token elsewhere, and revoke or rotate it if you stop using the skill.
If used incorrectly, direct API calls could reveal Plex data or trigger Plex actions under the user's account/server token.
The skill exposes raw curl-based API commands. This is central to the Plex-control purpose and not suspicious by itself, but users should be aware it relies on direct API calls using their token.
Control Plex Media Server using the Plex API. ... curl -s "$PLEX_SERVER/search?query=SEARCH_TERM&X-Plex-Token=$PLEX_TOKEN"
Review requested actions before allowing control operations, especially playback or other non-read actions, and keep the documented confirmation step for playback.