Back to skill

Security audit

Lidarr

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Lidarr helper, but it can control your music manager if you give it a valid API key.

Install only if you want an agent to manage your local Lidarr instance. Keep the API key private, restrict access to the key file, and require confirmation before bulk searches, adding monitored content, removing queue items, blacklisting releases, or deleting track files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Low
Confidence
81% confidence
Finding
The skill explicitly instructs the user to read and use a sensitive API key from disk without any warning about secret handling, least-privilege, masking, or avoiding exposure in logs/history. While this is normal for local API usage, documenting credential access this way can lead to accidental disclosure through shell history, copied commands, screenshots, or reuse in unsafe contexts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The reference documents destructive DELETE operations for artists and albums without clarifying whether removal affects monitored records only, local media files, or associated metadata. In an agent skill context, this omission increases the chance that an automated workflow or user prompt could trigger irreversible deletions based on ambiguous API docs.

Missing User Warnings

High
Confidence
98% confidence
Finding
The `/trackfile/{id}` DELETE endpoint is documented without warning that it may delete on-disk media files, which can cause permanent loss of music files. Because this skill is meant to be used by an agent interacting with a media manager, the lack of a prominent warning materially raises the risk of unintended destructive actions from automation or prompt misunderstanding.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Queue removal and blacklist actions can disrupt active downloads and prevent future acquisition of releases, yet the documentation gives no warning about these operational side effects. In this skill's context, agents may execute queue-management actions automatically, so undocumented consequences can lead to service disruption or unintended blocking of desired media.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.