LAN Media Server
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: lan-media-server Version: 1.0.0 The skill bundle is benign. It sets up a local Node.js HTTP server via a systemd user service to share files from a designated directory on the LAN. The `SKILL.md` clearly describes the purpose and usage, with no prompt injection attempts. The `scripts/setup.sh` script correctly configures and starts the service, and the `scripts/server.js` implements robust path traversal prevention, blocks directory listing, and sets appropriate security headers (e.g., CSP, X-Content-Type-Options). There is no evidence of data exfiltration, malicious execution, or unauthorized persistence.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can reach the server on the network and knows or guesses a filename could download files placed in the shared directory.
The skill deliberately exposes files over HTTP without authentication. This is disclosed and aligned with the LAN-sharing purpose, but access is controlled by network reachability and filename knowledge rather than login checks.
- Serves files only on LAN (0.0.0.0 but typically behind NAT) - No authentication — don't put sensitive files in the shared directory
Use it only on trusted networks, share only non-sensitive files, consider firewalling or binding to a narrower interface, and remove files after they are no longer needed.
The file server can continue running and serving the shared directory after the immediate sharing task is finished.
The setup script creates a persistent user-level systemd service that restarts automatically and remains enabled until the user disables it.
Restart=always ... systemctl --user enable media-server.service systemctl --user restart media-server.service
Stop and disable the service when it is no longer needed, and only enable lingering if you intentionally want it to survive logout or reboot.
Installation may fail on systems without Node.js or systemd, and users should realize the setup script changes their user-level service configuration.
The registry metadata does not declare the setup dependencies or systemd service behavior, even though the included setup script requires local Node.js and systemctl. The behavior is documented in SKILL.md and source is included, so this is an install-metadata gap rather than hidden code.
No install spec — this is an instruction-only skill. Required binaries (all must exist): none Code file presence: scripts/server.js; scripts/setup.sh
Review the setup script before running it and ensure Node.js and systemd user services are appropriate for the target machine.