ClawHub

Radarr

Security checks across malware telemetry and agentic risk

Overview

This Radarr skill mostly does what it says, but it needs review because it can delete media and silently changes collection settings for future automatic additions.

Install only if you are comfortable giving the skill control over your Radarr library. Before using remove, confirm the exact movie and keep files unless deletion is intentional. Be especially careful with add-collection because it can turn on future monitoring and automatic search/add behavior in Radarr.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill invokes shell commands (`bash scripts/radarr.sh ...`) but does not declare corresponding permissions. Undeclared execution capability weakens transparency and policy enforcement, making it easier for a user or host system to underestimate what the skill can do. In this context, the shell access is used to drive an external service and can mutate media library state, so the omission is security-relevant rather than purely informational.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared description says the skill searches for and adds movies, but the documented behavior also includes removal, optional file deletion, config inspection, existence checks, and collection monitoring changes. This mismatch is dangerous because users and security tooling may authorize the skill for a narrower purpose while it actually supports destructive operations, including deleting files. The media-management context makes removal somewhat expected, but omitting it from the description materially increases risk of unintended destructive use.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest-level description omits the documented capability to remove movies, which is a destructive action and can optionally delete associated files. Incomplete disclosure undermines informed consent and can cause users or automated reviewers to trust the skill with broader powers than they realize. Because this is a Radarr administration skill, delete functionality is contextually plausible, but it still must be explicitly declared.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata says it searches and adds movies, but the script also supports removing movies and optionally deleting associated files. This capability mismatch is dangerous because users or higher-level agents may invoke the skill under a non-destructive trust model and trigger unexpected destructive actions.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The add-collection flow not only adds current movies but also changes collection settings to monitored=true and searchOnAdd=true, enabling future automatic additions. This undisclosed persistent behavior expands the skill's effect beyond the immediate request and can cause ongoing changes to the media library without informed consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The remove command can delete media files when passed --delete-files, but there is no confirmation prompt, dry-run, or second-factor acknowledgement. In an agent setting, a mistaken parameter, prompt injection, or misunderstanding could irreversibly remove content from disk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal