tautulli-analytics
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICAL
Full Analysis
- [Data Exposure & Exfiltration] (SAFE): The skill documentation explicitly instructs the use of environment variables (
HSH_TAUTULLI_API_KEY) for authentication, avoiding hardcoded secrets. - [Indirect Prompt Injection] (LOW): The skill ingests external data from the Tautulli API, such as watch history and collection names. This creates a surface for indirect prompt injection if an attacker can manipulate Plex metadata, but is considered a standard operational risk for this use case.
- [Automated Scan Results] (SAFE): The malicious URL alert for
logger.infois a false positive. It refers to a common Python logging statement (logger.info()) mentioned in the documentation for operational monitoring, not a network destination. - [Command Execution] (SAFE): No unauthorized or dangerous command execution patterns were found. The use of standard filesystem tools (Read, Grep, etc.) is appropriate for the skill's stated purpose.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata