Overseerr
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: overseerr Version: 0.1.0 The skill bundle is benign. It provides functionality to interact with a self-hosted Overseerr instance for media requests and status monitoring. All network calls are directed to the user-configured `OVERSEERR_URL` using the provided `OVERSEERR_API_KEY`, which are explicitly declared as required environment variables in `SKILL.md`. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts against the agent. The code in `scripts/*.mjs` correctly implements the stated purpose without any high-risk behaviors.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent action using this skill can act through the configured Overseerr API key, including viewing request data and creating media requests.
The skill uses an Overseerr API key for authenticated API calls. This is expected for the integration, but the key grants whatever Overseerr permissions are associated with it.
const apiKey = requiredEnv('OVERSEERR_API_KEY'); ... headers = { 'X-Api-Key': apiKey, Accept: 'application/json' }Use an API key with only the permissions you are comfortable delegating, keep OVERSEERR_URL pointed at your trusted instance, and rotate the key if it may have been exposed.
A mistaken or ambiguous request could add an unintended movie or TV show request to the Overseerr server.
The request script creates a new Overseerr request and automatically uses the first search result. This matches the stated purpose, but it is a state-changing action and could request the wrong title if the search result is ambiguous.
const chosen = candidates[0]; ... const created = await overseerrFetch('/request', { method: 'POST', body });Use search first for ambiguous titles, review the result, and avoid allowing the agent to create requests unless the intended title and type are clear.
If started, the monitor will continue polling the Overseerr API and printing request updates until the process is stopped.
The monitor command is a continuous polling loop. It is documented as monitoring behavior and is not automatically started, but it will keep running until stopped.
while (true) { ... await new Promise((r) => setTimeout(r, intervalSec * 1000)); }Run the monitor only when you want continuous status updates, choose a reasonable interval, and stop the process when monitoring is no longer needed.