Plex
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: plex-skill Version: 0.1.0 The Plex skill bundle provides standard documentation and curl commands for interacting with a Plex Media Server API. It uses environment variables (PLEX_SERVER and PLEX_TOKEN) as intended for authentication and contains no evidence of malicious intent, data exfiltration, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill can see Plex library information, recent/on-deck items, active sessions, and available clients for the configured server.
The skill requires and uses a Plex authentication token to access the Plex API. This is expected for the stated purpose, but it gives the agent access to private Plex server data and potentially Plex control actions.
`PLEX_TOKEN`: Your Plex auth token ... curl -s "$PLEX_SERVER/library/sections?X-Plex-Token=$PLEX_TOKEN"
Only provide a Plex token for a server you want the agent to access, avoid sharing the token elsewhere, and revoke or rotate it if you stop using the skill.
If used incorrectly, direct API calls could reveal Plex data or trigger Plex actions under the user's account/server token.
The skill exposes raw curl-based API commands. This is central to the Plex-control purpose and not suspicious by itself, but users should be aware it relies on direct API calls using their token.
Control Plex Media Server using the Plex API. ... curl -s "$PLEX_SERVER/search?query=SEARCH_TERM&X-Plex-Token=$PLEX_TOKEN"
Review requested actions before allowing control operations, especially playback or other non-read actions, and keep the documented confirmation step for playback.