ClawHub

Jellyfin Control

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its Jellyfin and TV-control purpose, but its Android TV ADB path can let crafted app or device values run shell commands on the host.

Install only if you trust the publisher and can avoid or patch the direct Android TV ADB backend. Use least-privilege Jellyfin and Home Assistant credentials, avoid admin Jellyfin keys unless you need scan/history, keep ADB enabled only on trusted networks, and do not pass arbitrary app IDs or device values into TV launch commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (11)

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The manifest description understates the skill's real capabilities by omitting ADB-based device control and administrative Jellyfin actions like library scans and user history access. This is dangerous because users or reviewers may grant powerful credentials and install the skill believing it only performs media playback tasks, when it can also access broader data and trigger privileged operations.

Description-Behavior Mismatch

Low
Confidence
82% confidence
Finding
Omitting administrative Jellyfin operations such as library scan and cross-user history access from the manifest description can mislead users about the sensitivity of the privileges they are granting. In context, this skill handles API keys and potentially admin-level tokens, so undisclosed admin features materially increase the risk of privacy exposure and unintended server-side actions.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
Omitting administrative Jellyfin operations such as library scan and cross-user history access from the manifest description can mislead users about the sensitivity of the privileges they are granting. In context, this skill handles API keys and potentially admin-level tokens, so undisclosed admin features materially increase the risk of privacy exposure and unintended server-side actions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill metadata says it controls Jellyfin playback, sessions, and TV state, but this CLI also exposes user activity history and library statistics. That mismatch expands the tool's effective capability into privacy-sensitive monitoring and inventory disclosure, which can mislead operators or higher-level agents into granting broader access than intended.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest does not mention administrative library management, yet the CLI can trigger a Jellyfin library scan. This is a capability mismatch that can lead to unintended administrative actions, especially if an orchestrating agent or user trusts the declared scope and invokes the tool in a lower-privilege context.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill exposes access to Jellyfin's admin-only activity log and can retrieve another user's viewing/activity history, which exceeds the stated media playback/control scope. Even if Jellyfin enforces admin authorization, embedding this capability in a generally described control skill creates an unnecessary privacy-sensitive permission surface and enables collection of user activity data if the skill is provisioned with elevated credentials.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill can trigger a full Jellyfin library refresh, an administrative operation outside the advertised playback and TV control functionality. This expands the blast radius of the skill from media control into server administration, allowing unintended or abusive operational changes when admin credentials are supplied.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code builds shell command strings and passes them to execSync using attacker-controllable environment values such as ADB_DEVICE and appId. Because these values are interpolated directly into the shell command, an attacker who can influence configuration or inputs could achieve command injection on the host running the skill, not just on the TV.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The README promotes one-command automation that powers on a TV, launches apps, and starts playback, but it does not prominently warn that these commands trigger real actions on connected devices and may interrupt active viewing. This is not code execution risk, but it is a genuine safety/operational concern because a user or downstream agent could invoke actions without appreciating their side effects.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The usage examples list direct commands such as `tv on`, `tv off`, `tv launch`, and `tv play` without an adjacent caution that they immediately affect physical devices and active media sessions. In the context of an agent skill intended for natural-language control, omission of that warning increases the chance of accidental disruptive actions by users or automated tooling.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code performs an admin-only fetch of activity log entries and filters by user ID without any in-band disclosure, consent check, or warning at the point of execution. Because this accesses potentially sensitive behavioral data, the lack of user-facing notice and scope limitation makes privacy exposure more likely, especially in an automation skill whose description emphasizes playback control rather than monitoring.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal