Radarr
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill should understand that the configured API key lets the skill read and change the Radarr library.
The setup requires a Radarr API key stored in a local credentials file. This is expected for controlling Radarr, but it grants authority over the user's Radarr instance.
"apiKey": "your-api-key"
Use a Radarr API key only for the intended Radarr instance, protect the config file, and avoid pointing the URL at untrusted services.
If used incorrectly, the skill could remove movies from Radarr and, with the delete flag, delete associated files.
The skill documents a removal command that can delete media files through Radarr, with an instruction to ask the user first.
bash scripts/radarr.sh remove <tmdbId> --delete-files # delete files too **Always ask user if they want to delete files when removing!**
Only approve removal commands after checking the exact movie and whether files should be kept; prefer the default keep-files behavior unless deletion is intentional.
A collection add can keep affecting Radarr later by automatically monitoring and adding/searching future releases, even after the original request is finished.
After adding a collection, the script persistently enables collection monitoring and search-on-add for future movies, creating ongoing behavior beyond the immediate add operation.
# Monitor the collection for future movies
updatePayload=$(echo "$fullCollection" | jq '. + {monitored: true, searchOnAdd: true}')Require explicit user confirmation before enabling collection monitoring, document the persistent effect clearly, and honor --no-search or provide a separate flag for future auto-add behavior.