ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sonarr Fixed

v1.0.2

Search and add TV shows to Sonarr. Supports monitor options, search-on-add. FORK of jordyvandomselaar/sonarr with fixed metadata.

0· 425·0 current·0 all-time
by@frannunpal
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill is a Sonarr API wrapper: it uses curl/jq to call a Sonarr instance API and requires a Sonarr URL and API key. Those requirements align with the described purpose of searching/adding/removing TV shows.
Instruction Scope
SKILL.md instructs creating ~/.openclaw/credentials/sonarr/config.json (and optionally using SONARR_URL/SONARR_API_KEY to override). The included script implements the described commands (search, add, remove, config) and prints TVDB links as required. However, the SKILL.md claims env vars 'override' the config file but the script reads the config file first and will overwrite any pre-set environment variables if the config file exists (i.e., config takes precedence). This is a functional mismatch between docs and implementation.
Install Mechanism
This is an instruction-only skill with a small shell script (no install spec). No network downloads or packages are installed by the skill itself, which lowers installation risk.
Credentials
The skill only needs a Sonarr URL and API key (stored in the config file or environment). Those are proportional to its function. Two metadata issues to note: the registry summary in the prompt shows malformed/placeholder entries ("[object Object]") for required env/config, and SKILL.md marks the env vars optional but the script requires the url and apiKey to be present (via config or env). Confirm which mechanism you prefer and ensure the API key is stored securely (correct file permissions).
Persistence & Privilege
The skill does not request persistent 'always' inclusion, and it does not modify other skills or global settings. It only reads the declared config path and calls the Sonarr API.
Assessment
This skill looks like a straightforward Sonarr helper, but check two things before installing or running it: (1) Decide whether you will use the config file (~/.openclaw/credentials/sonarr/config.json) or environment variables. The script prefers values from the config file and will overwrite env vars if the config exists (contrary to the SKILL.md claim that env vars override). (2) Protect your Sonarr API key—store the config file with restrictive permissions and only provide the minimum privileges required by your Sonarr instance. Also note that the registry metadata in the package summary appears malformed ("[object Object]") — this looks like a harmless metadata serialization bug but you may want to confirm the source/owner before trusting the skill. If you need higher assurance, review the script (scripts/sonarr.sh) line-by-line and test it in a controlled environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97caw225rbzqcy6q2chm6v1y981rqed

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📺 Clawdis
Binscurl, jq
Env[object Object], [object Object]
Config[object Object]

Comments