Is ericrosenberg/jellyseerr safe?
https://github.com/openclaw/skills/tree/main/skills/ericrosenberg/jellyseerr
The ericrosenberg/jellyseerr skill is a functionally legitimate Jellyseerr media integration with no confirmed malicious behavior, but it carries several meaningful risks: a persistent HTTP server bound to all interfaces with no authentication, a per-minute cron job that outlives agent sessions, hardcoded developer home directory paths indicating poor production readiness, and an agent message relay mechanism (SEND_MESSAGE:) that creates an injection pathway from any Jellyseerr server the user connects to. No credential exfiltration was detected and canary files remained intact throughout the audit.
Category Scores
Findings (12)
HIGH install_service.sh hardcodes developer's home directory path -20 ▶
The install_service.sh script hardcodes SCRIPT_DIR='/home/clawd/clawd/skills/jellyseerr/scripts' and USER='clawd'. This reveals the skill was developed and tested exclusively for a specific user account on the author's machine and published without parameterization. For any other user, the systemd service will point to a non-existent path, silently fail, or — if /home/clawd exists on the target host — execute code from an unexpected location. This is a significant quality and safety defect.
MEDIUM Webhook server binds to 0.0.0.0 creating internet-accessible persistent listener -12 ▶
webhook_server.py starts an HTTP server on all network interfaces (0.0.0.0:8384) and is installed as an always-restart systemd service. Any host with a public IP or NAT port-forward will expose this service to the internet. The server accepts arbitrary JSON POST bodies and queues them as notifications without authentication, HMAC validation, or IP allowlisting.
MEDIUM SEND_MESSAGE protocol creates agent message injection pathway -20 ▶
send_notifications.py reads ~/.cache/jellyseerr/pending_notifications.json and outputs each notification body prefixed with 'SEND_MESSAGE:'. The hosting agent is expected to parse this output and relay the content as a user-facing message. Since notification bodies are constructed from Jellyseerr webhook POST data (subject, media_type fields), an attacker who controls the Jellyseerr server or can inject webhook payloads controls the exact string the agent sends to users, potentially injecting instructions.
MEDIUM Per-minute cron job creates persistent background execution beyond agent session -5 ▶
SKILL.md instructs users to install a cron job with schedule '* * * * *' running auto_monitor.sh. This runs indefinitely regardless of whether the agent or user is active. The script makes outbound HTTP calls to the configured Jellyseerr server, modifies files in ~/.cache/jellyseerr/, and executes all Python scripts in the skill directory. No cleanup or uninstall path is provided.
MEDIUM Attacker-controlled Jellyseerr server can inject content into agent messages -20 ▶
The pipeline from external webhook source to agent-relayed message has no integrity verification: the Jellyseerr server POSTs a JSON body → webhook_server.py extracts subject and media_type fields verbatim → queued in pending_notifications.json → send_notifications.py outputs SEND_MESSAGE:
LOW API key and notification routing credentials stored and collected in plaintext -8 ▶
setup.sh writes the Jellyseerr API key in plaintext JSON to ~/.config/jellyseerr/config.json. track_requests.py additionally collects TELEGRAM_CHAT_ID, CLAWDBOT_CHANNEL, and CLAWDBOT_CHAT_ID from environment variables and persists them in the tracking cache alongside every media request. This aggregates user identity, notification routing, and service credentials in ~/.cache/jellyseerr/.
LOW Persistent per-minute execution and session-independent state -10 ▶
The cron and systemd service persist independently of any agent session. The cron job and webhook server continue running, making outbound API calls and queuing notifications, long after the user stops using the skill. There is no disable or uninstall mechanism in SKILL.md.
LOW chmod +x applied to all Python scripts on every cron execution -5 ▶
auto_monitor.sh runs 'chmod +x $SCRIPT_DIR/*.py' unconditionally on every cron invocation, ensuring all Python files remain executable regardless of permission changes. While not immediately dangerous, this prevents users from restricting script execution by removing execute bits.
LOW Environment variable harvesting for notification routing -4 ▶
track_requests.py reads CLAWDBOT_CHANNEL and CLAWDBOT_CHAT_ID environment variables and persists them alongside each tracked media request in the cache file. This builds a durable map of agent channel identifiers tied to media request history.
INFO Hardcoded egg emoji marker in all notification messages -5 ▶
Every notification message generated by both webhook_server.py and monitor_availability.py includes a hardcoded 🥚 (egg) emoji at the end of the message body, identical across both files. This is likely an innocuous Easter egg but constitutes an unusual consistent fingerprint embedded in all user-facing output from this skill.
INFO Clone behavior clean — only expected GitHub connection 0 ▶
The git clone operation contacted only github.com (140.82.121.4:443) via HTTPS. No unexpected outbound connections, DNS lookups, or process spawning were observed during installation. Filesystem modifications were limited to the skill target directory.
INFO All canary files intact — no credential exfiltration detected 0 ▶
Honeypot files for .env, id_rsa, AWS credentials, npmrc, Docker config, and GCP credentials were accessed only at audit epoch 1771941109 (pre-clone harness setup) and 1771941128 (post-analysis integrity check). The skill's own code does not reference or read any of these paths. No exfiltration to external endpoints was detected.