LAN Media Server
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is purpose-aligned, but it intentionally starts a persistent unauthenticated file server, so only non-sensitive files should be placed in its shared directory.
Install this only if you want a local-network HTTP file server. Treat the shared directory as public to anyone who can reach the host, avoid sensitive files, review the setup script before running it, and stop or disable the systemd user service when sharing is finished.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can reach the server on the network and knows or guesses a filename could download files placed in the shared directory.
The skill deliberately exposes files over HTTP without authentication. This is disclosed and aligned with the LAN-sharing purpose, but access is controlled by network reachability and filename knowledge rather than login checks.
- Serves files only on LAN (0.0.0.0 but typically behind NAT) - No authentication — don't put sensitive files in the shared directory
Use it only on trusted networks, share only non-sensitive files, consider firewalling or binding to a narrower interface, and remove files after they are no longer needed.
The file server can continue running and serving the shared directory after the immediate sharing task is finished.
The setup script creates a persistent user-level systemd service that restarts automatically and remains enabled until the user disables it.
Restart=always ... systemctl --user enable media-server.service systemctl --user restart media-server.service
Stop and disable the service when it is no longer needed, and only enable lingering if you intentionally want it to survive logout or reboot.
Installation may fail on systems without Node.js or systemd, and users should realize the setup script changes their user-level service configuration.
The registry metadata does not declare the setup dependencies or systemd service behavior, even though the included setup script requires local Node.js and systemctl. The behavior is documented in SKILL.md and source is included, so this is an install-metadata gap rather than hidden code.
No install spec — this is an instruction-only skill. Required binaries (all must exist): none Code file presence: scripts/server.js; scripts/setup.sh
Review the setup script before running it and ensure Node.js and systemd user services are appropriate for the target machine.