ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sonarr

v1.0.0

Interact with Sonarr (TV show manager) via its REST API. Use when searching for TV series, checking missing/wanted episodes, triggering downloads, or monitor...

0· 36·0 current·0 all-time
by@minerva-care
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md clearly implements Sonarr REST API actions (search, add series, check queue, trigger searches) which aligns with the skill name/description. However the metadata declares no required credentials or env vars while the instructions expect SONARR_URL and SONARR_KEY (an API key), so the declared requirements are incomplete.
!
Instruction Scope
Runtime instructions perform curl calls against Sonarr (defaulting to http://localhost:8989) and parse results with python3. They instruct reading an API key from a local file (e.g. ~/clawd/credentials/sonarr_api_key). The actions are limited to the Sonarr API and local files, but the instructions reference reading secret material (the API key) while that secret is not declared in the skill metadata — a scope/visibility mismatch that should be corrected.
Install Mechanism
This is an instruction-only skill with no install spec or code to download or write to disk, which is the lowest-risk install mechanism.
!
Credentials
The skill requires an API key (SONARR_KEY) and a Sonarr URL (SONARR_URL) according to SKILL.md, but the registry metadata lists no required env vars and no primary credential. Requesting undisclosed secrets (via a file) is disproportionate to the manifest and should be fixed or explained.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence or permissions. Autonomous invocation is allowed (platform default), but there's no evidence the skill modifies other skills or global config.
What to consider before installing
This skill appears to correctly describe Sonarr API usage, but the published metadata fails to list the credentials it needs. Before installing: (1) verify the skill's source and trustworthiness (owner is unknown), (2) confirm you have a local Sonarr instance at the URL used or update SONARR_URL appropriately, (3) store the Sonarr API key securely (the SKILL.md suggests ~/clawd/credentials/sonarr_api_key) and ensure only the agent can read it, (4) ask the publisher to update metadata to declare SONARR_KEY/SONARR_URL (and a primary credential) so the manifest matches runtime behavior, and (5) if you use autonomous agents, be aware the skill can be invoked to call your local Sonarr — ensure that's intended. If you want higher assurance, request a signed/verified source or run these curl commands manually first to audit their effects.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ed5crc2sdexenq5e36ra1fh8429dd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments