Back to skill
Skillv1.0.2
ClawScan security
Sonarr Fixed · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 24, 2026, 11:48 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions are largely consistent with its stated purpose (talking to a Sonarr instance to search/add shows); the main issues are minor documentation/metadata mismatches you should be aware of before installing.
- Guidance
- This skill looks like a straightforward Sonarr helper, but check two things before installing or running it: (1) Decide whether you will use the config file (~/.openclaw/credentials/sonarr/config.json) or environment variables. The script prefers values from the config file and will overwrite env vars if the config exists (contrary to the SKILL.md claim that env vars override). (2) Protect your Sonarr API key—store the config file with restrictive permissions and only provide the minimum privileges required by your Sonarr instance. Also note that the registry metadata in the package summary appears malformed ("[object Object]") — this looks like a harmless metadata serialization bug but you may want to confirm the source/owner before trusting the skill. If you need higher assurance, review the script (scripts/sonarr.sh) line-by-line and test it in a controlled environment.
Review Dimensions
- Purpose & Capability
- okThe skill is a Sonarr API wrapper: it uses curl/jq to call a Sonarr instance API and requires a Sonarr URL and API key. Those requirements align with the described purpose of searching/adding/removing TV shows.
- Instruction Scope
- noteSKILL.md instructs creating ~/.openclaw/credentials/sonarr/config.json (and optionally using SONARR_URL/SONARR_API_KEY to override). The included script implements the described commands (search, add, remove, config) and prints TVDB links as required. However, the SKILL.md claims env vars 'override' the config file but the script reads the config file first and will overwrite any pre-set environment variables if the config file exists (i.e., config takes precedence). This is a functional mismatch between docs and implementation.
- Install Mechanism
- okThis is an instruction-only skill with a small shell script (no install spec). No network downloads or packages are installed by the skill itself, which lowers installation risk.
- Credentials
- noteThe skill only needs a Sonarr URL and API key (stored in the config file or environment). Those are proportional to its function. Two metadata issues to note: the registry summary in the prompt shows malformed/placeholder entries ("[object Object]") for required env/config, and SKILL.md marks the env vars optional but the script requires the url and apiKey to be present (via config or env). Confirm which mechanism you prefer and ensure the API key is stored securely (correct file permissions).
- Persistence & Privilege
- okThe skill does not request persistent 'always' inclusion, and it does not modify other skills or global settings. It only reads the declared config path and calls the Sonarr API.