Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
emby
v1.0.0Integrate with Emby Server API to manage media libraries, users, playback, live TV, devices, and encoding settings through comprehensive endpoints.
⭐ 0· 293·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the provided code: emby.py implements a large wrapper around Emby Server endpoints (items, users, playback, LiveTV, images, backups, etc.). The requested capabilities align with what an Emby integration would need (HTTP requests to an Emby server). There are no unrelated service credentials, binaries, or config paths requested.
Instruction Scope
SKILL.md instructs users to edit BASE_URL and API_KEY at the top of emby.py to point to their server and API key. That instruction is within the task's scope (configuring the client) but grants broad discretion to modify source code and embed secrets. The documentation also references operations that can upload/restore backups and upload camera content — these are powerful operations that should be clearly documented and permissioned, but they are expected for a full-featured Emby client. SKILL.md does not instruct reading unrelated files or environment values, nor does it instruct exfiltration to unexpected endpoints.
Install Mechanism
No install spec — instruction-only plus an included Python module. That is low-risk compared to arbitrary downloads or install scripts. The code depends on requests (standard for HTTP) but no package install is declared in the registry metadata; user will need to ensure 'requests' is available.
Credentials
The skill declares no required environment variables or primary credential, yet the distributed code contains a literal API_KEY value and instructs editing emby.py to insert credentials. Embedding a secret in the codebase (or asking users to put secrets in source) is poor practice and increases risk of accidental leakage or misuse. The skill should instead declare a required env var (e.g., EMBY_API_KEY and EMBY_BASE_URL) and read them at runtime. Additionally, functions that download/upload media and restore backups are capable of moving data; verify the API key's scope and rotate it if it was used for testing.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent system-wide privileges or modify other skills. Autonomous invocation is allowed by platform default but is not combined with other privilege escalation indicators here.
What to consider before installing
This skill is a plausible Emby API client, but do not install or use it as-is without changes: (1) The distributed emby.py contains a hard-coded API_KEY — treat that as a leaked test key and do not reuse it. Replace it by reading credentials from environment variables (e.g., EMBY_BASE_URL and EMBY_API_KEY) and update SKILL.md to declare those requirements. (2) Review functions that download, upload, or restore backups (they can move or overwrite data) and limit the API key’s permissions accordingly. (3) Run the code in an isolated environment and inspect network activity to confirm it only talks to your Emby server. (4) Prefer the maintainer provide a version that reads configuration from env vars or a secure config store rather than instructing users to edit source files. If you need higher assurance, ask the publisher to explain why a key is hard-coded and request a version that follows secure credential handling.Like a lobster shell, security has layers — review code before you run it.
latestvk97ffev5tnzq5gbj113tyj1jfs82ptf4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.