plex-ctl

clawhub:plex-ctl

View source

69/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

69/100

HIGH 1

MEDIUM 2

LOW 1

Findings (4)

HIGH

Internal IP range access SSRF_002

ssrf-cloud L38

Detects references to private/internal IP ranges in URL context

http://192.168.86.86:

FIX

Implement URL allowlisting for all outbound requests. Block requests to private IP ranges (10.x, 172.16-31.x, 192.168.x), localhost, and link-local addresses.

FP?

Likely FP if the match is a localhost URL used for local development (e.g., http://localhost:3000) in setup documentation.

MEDIUM

Internal IP range access SSRF_002

ssrf-cloud L127

Detects references to private/internal IP ranges in URL context

http://192.168.86.86:

FIX

Implement URL allowlisting for all outbound requests. Block requests to private IP ranges (10.x, 172.16-31.x, 192.168.x), localhost, and link-local addresses.

FP?

Likely FP if the match is a localhost URL used for local development (e.g., http://localhost:3000) in setup documentation.

MEDIUM

Internal IP range access SSRF_002

ssrf-cloud L232

Detects references to private/internal IP ranges in URL context

http://192.168.86.86:

FIX

Implement URL allowlisting for all outbound requests. Block requests to private IP ranges (10.x, 172.16-31.x, 192.168.x), localhost, and link-local addresses.

FP?

Likely FP if the match is a localhost URL used for local development (e.g., http://localhost:3000) in setup documentation.

LOW

pip install arbitrary package EXTDL_009

external-download L99

Detects pip install of arbitrary packages that modify the host environment

pip install pl

FIX

Pin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.

FP?

Likely FP if the match is in documentation showing how to install the skill's own PyPI package.