Radarr

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only Radarr helper that uses a local API key to manage movies through the expected Radarr REST API.

Install only if you want the agent to control your Radarr instance. Store the Radarr API key as a secret with restrictive permissions, fix the documented key path before use, avoid pasting the key into prompts or logs, and be aware that Radarr API access can add movies, start searches, and potentially update or remove media through documented endpoints.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly instructs the user to store and read a Radarr API key from disk but provides no warning that the key is sensitive, no least-privilege guidance, and no handling precautions. Even though the service is local, the API key grants control over Radarr actions such as adding movies and triggering searches, so casual credential handling increases risk of accidental disclosure or misuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal