Skillv1.0.0

ClawScan security

Readarr · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 10:03 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it says (talk to a local Readarr API), but there are inconsistencies and missing declarations—most importantly it instructs the agent to read a local API key file while the skill metadata declares no required credentials or config paths.
Guidance: This skill is generally coherent for interacting with a local Readarr instance, but review before installing. Key points: (1) SKILL.md expects the agent to read your Readarr API key from a file in your home (~/clawd/credentials/readarr_api_key or similar) even though the skill metadata doesn't declare required credentials—ensure you understand and approve any file access. (2) Confirm the Readarr URL (localhost vs. 192.168.42.79) and the filesystem paths referenced (Calibre library, Docker volumes) match your environment; the doc has environment-specific assumptions (macOS path, Synology Docker) that may not apply. (3) If you do not want an agent to read local secrets, move the API key to a location only you permit, or update the skill to clearly declare required config path(s) and to accept the key via a safer mechanism. (4) Because this is instruction-only, there is no installer risk, but pay attention to the agent's permission to read files and access your LAN. If unsure, test in a restricted account or VM and prefer creating a dedicated Readarr API key with limited scope before use.

Review Dimensions

Purpose & Capability: noteThe name/description match the instructions: SKILL.md contains curl examples against Readarr endpoints, add/monitor/search workflows, and Calibre integration. However, the skill metadata declares no required environment variables or config paths while the instructions rely on READARR_URL and READARR_KEY (and specific file paths). This mismatch is unexpected and should be reconciled.
Instruction Scope: concernRuntime instructions explicitly tell the agent to read a local credential file (e.g. `READARR_KEY=$(cat ~/clawd/credentials/readarr_api_key)` / `/path/to/readarr_api_key`) and reference local hosts/paths (localhost:8787, 192.168.42.79, /Volumes/Bull, /Applications/Readarr.app). Reading a secret from the user's home directory is within the skill's stated purpose but is sensitive; the instructions also mention passwordless sudo for docker on Synology which indicates environment-specific privileged operations. There are no instructions that exfiltrate data to external hosts, but the skill grants itself discretion to read local files and network services not declared in the metadata.
Install Mechanism: okInstruction-only skill with no install spec and no code files. This is lower risk because nothing is automatically downloaded or written by an installer.
Credentials: concernThe skill requires an API key to authenticate to Readarr, and the SKILL.md instructs where to store/load it, but the registry metadata lists no required env vars or config paths and no primary credential. That mismatch is disproportionate: the agent will try to access a local secret file without the skill declaring that it needs such access. The required access is limited to a Readarr API key and local network, but the lack of explicit declaration reduces transparency.
Persistence & Privilege: okThe skill is not always-enabled, does not request elevated platform-wide persistence, and does not modify other skills' configuration. Autonomous invocation is permitted (platform default) — combine that with the noted credential access if you are concerned.