ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lidarr

v1.0.0

Interact with Lidarr (music/album manager) via its REST API. Use when searching for artists or albums, checking missing/wanted releases, triggering downloads...

0· 32·0 current·0 all-time
by@minerva-care
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description match the actions shown (search/add artist/album, check wanted/queue, trigger searches). However, the SKILL.md expects LIDARR_URL and LIDARR_KEY (and shows reading an API key file), which are not declared in the registry metadata; the instructions also rely on curl and python3 but required binaries are listed as none.
Instruction Scope
All instructions operate against a local Lidarr API (http://localhost:8686) and only call documented Lidarr endpoints. They instruct reading an API key from a filesystem path (e.g. /path/to/lidarr_api_key or ~/clawd/credentials/...), and use curl and python3 for processing. This is expected for a local-API skill but the skill text gives concrete file-read examples — installing an agent that follows these instructions will attempt to read that path if the example is followed.
Install Mechanism
Instruction-only skill with no install spec or downloads — low install risk. Nothing is written to disk by the skill package itself.
!
Credentials
The skill requires an API key (LIDARR_KEY) and a URL (LIDARR_URL) at runtime, but the registry metadata lists no required env vars or primary credential. Requested access is otherwise limited and appropriate for Lidarr, but the omission in metadata is a meaningful mismatch that could confuse permissioning or automated policy checks.
Persistence & Privilege
always is false and the skill does not request persistent or elevated privileges, nor does it modify other skills. Autonomous invocation is allowed by default (platform default) but not combined with other broad privileges here.
What to consider before installing
This skill appears to do what it says: call a local Lidarr REST API. Before installing, verify or correct the mismatches: 1) ensure you have a Lidarr API key and a local URL and decide how the agent should access them (declare env vars or provide a clear, safe file path). 2) Confirm curl and python3 are available on the agent runtime (the SKILL.md uses both). 3) Store the API key in a secure, minimally-permissioned location and create a dedicated API key in Lidarr if possible so the skill has only the permissions it needs. 4) Be aware some endpoints can delete/blacklist files or queue items — only allow this skill if you trust its source or inspect the SKILL.md thoroughly. 5) Ask the publisher to update registry metadata to list LIDARR_URL/LIDARR_KEY and required binaries, or correct the SKILL.md if those declarations are intentionally omitted. If you cannot validate these points, treat the mismatch as a risk and avoid enabling autonomous use.

Like a lobster shell, security has layers — review code before you run it.

latestvk977abzrxjpvem6q68r5q8wrwx842tve

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments