ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Plex Media Remote

v1.1.0

A standalone command-line skill to interact with and manage Plex Media Server directly, featuring playback controls and secured temporary caching.

0· 109·0 current·0 all-time
byYahya@ymgenc

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for ymgenc/plex-control.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Plex Media Remote" (ymgenc/plex-control) from ClawHub.
Skill page: https://clawhub.ai/ymgenc/plex-control
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: PLEX_URL, PLEX_TOKEN
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install plex-control

ClawHub CLI

Package manager switcher

npx clawhub@latest install plex-control
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The script and SKILL.md claim the skill requires PLEX_URL and PLEX_TOKEN and the binaries 'uv' and 'python3' (and the Python dependency plexapi). Those requirements are coherent with a Plex-control CLI. However, the registry-level info provided at the top of the package (the 'Requirements' summary) lists no required env vars or binaries — a direct inconsistency between how the skill advertises itself at the package level and the internal metadata.json / SKILL.md. This mismatch is unexplained and could cause confusion or accidental failure when installing or running the skill.
Instruction Scope
The SKILL.md instructs the agent to run the included script via 'uv run scripts/plex_cli.py' and to inject PLEX_URL and PLEX_TOKEN into the environment. The script only contacts the specified Plex server and writes a JSON cache to the OS temp dir; it does not attempt to read local dotfiles or other system credentials. It does, however, fetch and return potentially sensitive live session data (usernames, playback state, client addresses) to stdout — this is expected for a Plex management tool but is privacy-sensitive and should be considered by the user.
Install Mechanism
There is no formal install spec (instruction-only), which is low risk, but the SKILL.md and metadata.json expect dependencies to be handled automatically via the 'uv' runner. 'uv' is an uncommon runtime tool and is listed as a required binary inside metadata.json but was not declared in the top-level package requirements. Because there is no explicit, reproducible install step, running the skill may fail or cause the agent to try to install/run tools it doesn't have. No network download URLs or extract/install steps are present.
Credentials
The only sensitive environment variables accessed are PLEX_URL and PLEX_TOKEN, which are proportionate and necessary for connecting to a Plex server. The script reads only those env vars. The problem is that the top-level provided manifest initially listed no required env vars while internal files require them — a packaging inconsistency the user should resolve before granting credentials.
Persistence & Privilege
The skill does not request permanent or privileged presence: 'always' is false, it does not modify other skills or system-wide settings, and it writes only a transient cache to the OS temp directory. It does not persist tokens to disk. No elevated privileges or persistent agent modifications are requested.
What to consider before installing
This skill appears to implement a legitimate Plex CLI and only needs your Plex URL and token to function, but there are a few concerns to check before installing: - Confirm the source: the package has no homepage and comes from an unknown owner. If you don't trust the author, don't install. - Resolve the metadata mismatch: the top-level registry summary lists no required env vars/binaries, but SKILL.md and metadata.json require PLEX_URL, PLEX_TOKEN, 'uv', and 'python3'. Make sure you (or the platform) provide these correctly; otherwise the agent may fail or attempt unexpected actions. - 'uv' is an uncommon runner; ensure you know what 'uv' will do on your system or provide an alternate invocation (python3 scripts/plex_cli.py) if you prefer. - Treat PLEX_TOKEN as a sensitive secret. Only provide it if you trust the skill and the environment where it's run. - Consider privacy: the skill returns live session info (usernames, player addresses) to stdout and caches media titles/actors/genres in the system temp directory. If that is acceptable for your environment, proceed; otherwise do not install. If you want higher assurance, ask the publisher for a known homepage or repo, or run the included script locally in a controlled environment first to verify behavior.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Environment variables
PLEX_URLrequired
PLEX_TOKENrequired
latestvk977mp58j83cxwdv8pychq9629849sm2
109downloads
0stars
3versions
Updated 3w ago
v1.1.0
MIT-0
Yahya@ymgenc
latest
Download

Plex Standalone Skill

This skill allows the OpenClaw agent to directly query and manage a Plex Media Server using a standalone Python CLI script.

Requirements

  1. Environment Variables:

    • PLEX_URL: Your Plex server address (e.g., http://192.168.1.100:32400).
    • PLEX_TOKEN: Your private Plex authentication token.

  2. Python:

    • The script uses plexapi. Dependencies are managed automatically via uv.

How to Use the Skill

The agent invokes the script via the command line. The output is structured JSON.

Command Syntax

uv run scripts/plex_cli.py <action> [arguments]

Supported Actions

  • info: Get basic server info.
  • sync: Refresh the lightning-fast search cache (stored in the system's temporary directory).
  • search <query>: Instantly search for movies, shows, episodes, actors, or genres using the local cache.
  • clients: List active playback devices.
  • play <client_name> <query_or_key>: Tell a device to play a specific item.
  • pause/resume/stop <client_name>: Basic playback control.
  • continue: List items currently in "Continue Watching".

Security & Configuration

This skill is designed for maximum security and minimal footprint:

  • Registry Metadata: Detailed requirements, including required environment variables (PLEX_URL, PLEX_TOKEN) and required binaries (uv, python3), are formally declared in metadata.json.
  • Environment Handling: Credentials are injected directly into the execution environment. The skill does not read local .env files, preventing accidental credential exposure.
  • Privacy & Caching:
    • The skill caches an index of your library names, genres, and artist names in the OS temporary directory for search performance.
    • Live Metadata (sessions, usernames, playback states) is fetched in real-time and is never stored or cached.
    • The cache is transient and resides in the system's temporary storage, which is automatically cleaned by the OS.

Comments

Loading comments...