ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Admirarr

v1.0.0

Manage a Jellyfin/Plex + *Arr media server stack — check status, add content, monitor downloads, diagnose issues, restart services.

0· 176·0 current·0 all-time
byMax Techera@maxtechera
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description map directly to a CLI tool called 'admirarr' and the SKILL.md lists commands the binary implements. Requiring the 'admirarr' binary on PATH is coherent for a CLI-driven skill that manages Jellyfin/Plex and *Arr services.
Instruction Scope
The instructions tell the agent to run admirarr commands (status, health, search, restart, etc.) and do not instruct reading unrelated system files or external credentials. However, 'admirarr doctor --fix → Built-in fixes → AI agent for the rest' is vague and could permit the agent to take broader corrective actions beyond mere read-only queries; the SKILL.md does say to confirm destructive actions, but the ambiguity is worth noting.
!
Install Mechanism
The skill has no formal install spec but the SKILL.md includes a 'curl -fsSL https://get.admirarr.dev | sh' installer suggestion. Piping remote scripts to sh is a high-risk pattern because it executes code from an external host; the domain is not an obviously well-known package host. The skill itself does not install files, but the presence of that installer in docs increases risk if a user follows it without verification.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. That is proportionate to a CLI wrapper which relies on local service endpoints and the admirarr binary.
Persistence & Privilege
always:false (normal). The skill can be invoked autonomously (platform default). Combined with the ambiguous 'doctor --fix' behavior, autonomous invocation could allow the agent to run corrective commands if not constrained by prompts/confirmation; SKILL.md instructs to confirm with user before destructive actions, so verify that runtime enforcement of confirmations exists.
What to consider before installing
This skill appears to be an instruction wrapper around an external CLI (admirarr), which is reasonable for managing media stacks — but take these precautions before installing or running it: 1) Do not run the curl | sh installer blindly; inspect the script at https://get.admirarr.dev and prefer a package from a reputable release (GitHub release, distro package, or homebrew) or verify a checksum/signature. 2) Verify the source code or repository for the admirarr binary and confirm the domain is legitimate. 3) Run the binary in a sandbox or non-privileged environment first; avoid running it as root. 4) Confirm how the agent enforces user confirmations for 'restart' or 'doctor --fix' actions — require interactive approval for changes. 5) If you need to allow autonomous runs, restrict the agent's environment (no sensitive AWS/GitHub tokens in the same environment) in case the binary or agent issues network calls. If you can, ask the publisher for a canonical install method and reproducible release artifacts; lack of those increases risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk979qtt8f9crhx87w3mx6c63cs82tzxt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsadmirarr

Comments