Overseerr
PassAudited by ClawScan on May 10, 2026.
Overview
This skill does what it says—uses your Overseerr API key to search, create media requests, and monitor request status—but users should notice that it can create requests and run a polling monitor.
This appears safe for its stated purpose if you trust the configured Overseerr server and API key. Before installing, make sure the API key has acceptable permissions, use search first for ambiguous media titles, and remember that the monitor command keeps polling until you stop it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent action using this skill can act through the configured Overseerr API key, including viewing request data and creating media requests.
The skill uses an Overseerr API key for authenticated API calls. This is expected for the integration, but the key grants whatever Overseerr permissions are associated with it.
const apiKey = requiredEnv('OVERSEERR_API_KEY'); ... headers = { 'X-Api-Key': apiKey, Accept: 'application/json' }Use an API key with only the permissions you are comfortable delegating, keep OVERSEERR_URL pointed at your trusted instance, and rotate the key if it may have been exposed.
A mistaken or ambiguous request could add an unintended movie or TV show request to the Overseerr server.
The request script creates a new Overseerr request and automatically uses the first search result. This matches the stated purpose, but it is a state-changing action and could request the wrong title if the search result is ambiguous.
const chosen = candidates[0]; ... const created = await overseerrFetch('/request', { method: 'POST', body });Use search first for ambiguous titles, review the result, and avoid allowing the agent to create requests unless the intended title and type are clear.
If started, the monitor will continue polling the Overseerr API and printing request updates until the process is stopped.
The monitor command is a continuous polling loop. It is documented as monitoring behavior and is not automatically started, but it will keep running until stopped.
while (true) { ... await new Promise((r) => setTimeout(r, intervalSec * 1000)); }Run the monitor only when you want continuous status updates, choose a reasonable interval, and stop the process when monitoring is no longer needed.