ClawHub

ClawARR Suite

Security checks across malware telemetry and agentic risk

Overview

This skill is a legitimate media-stack manager, but it handles powerful service credentials and local-network control in ways users should review before installing.

Install only if you intend to give an agent administrative control over your media stack. Run it on a trusted machine and network, avoid pasting logs or generated configs without redacting keys, prefer HTTPS or localhost where possible, review any pip install or Docker/SSH command before approving it, and rotate API keys if setup output or browser localStorage may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (41)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script writes several predictable filenames into /tmp and later reads them via shell-invoked commands during awk replacement. Because /tmp is shared and attacker-writable on multi-user systems, an attacker can pre-create symlinks or race these files to cause arbitrary file overwrite, unintended reads, or content injection into the generated dashboard. The use of fixed names rather than secure temporary files makes this materially unsafe.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script actively fetches API keys from Sonarr/Radarr-family services via unauthenticated initialization endpoints and stores them for later use. Even if intended as setup convenience, this is credential collection behavior that expands access to all managed services and becomes dangerous if the script is run against a remote host, on a shared terminal, or in an environment where stdout/logs are captured.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The script prints ready-to-run export commands containing full recovered API keys directly to stdout. This exposes secrets to terminal scrollback, shell logging, screen recordings, shared sessions, CI logs, and copy/paste artifacts, making credential compromise much easier.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The setup flow offers to install an external Python package via pip, which expands the skill from orchestrating tracker integrations into modifying the local environment by fetching and executing third-party code. Even though this is interactive and framed as convenience, package installation from public repositories carries supply-chain risk and can unexpectedly change the host state, making it a real security concern in an agent skill.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This branch similarly installs retraktarr via pip during setup, causing the skill to download and execute third-party package code on the host. In a media-management skill, that capability is broader than necessary for normal tracker orchestration and introduces supply-chain and host-modification risk if a package is compromised or unexpectedly updated.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script discovers and executes external helper binaries (traktarr/retraktarr) that can modify local Arr applications and library state. In a security review, this expands trust from the script itself to whatever binary is found in PATH or common locations, creating a supply-chain and unintended local-action risk if a malicious or replaced executable is present.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The traktarr configuration flow creates and displays config files containing sensitive local service endpoints, Arr API keys, and Trakt client secrets. This is dangerous because secrets are written in cleartext and later exposed via output, which can leak into terminal logs, agent transcripts, or other monitoring systems.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The retraktarr configuration flow similarly creates and exposes local Arr credentials and Trakt secrets in plaintext configuration. Because this skill is designed for self-hosted media stacks, these credentials can grant direct control over local services and can be exfiltrated through console output or logs.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The UI text says keys are 'saved in your browser (localStorage) and masked for safety,' but the implementation stores the full API keys in localStorage and only masks them in the rendered display. This is dangerous because any script running in the page origin, malicious browser extension, or local user with browser access can read the plaintext secrets, while the wording may mislead users into believing the keys are protected at rest.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly says setup will auto-discover services, extract API keys, verify connections, and output config, but it does not warn users that this process accesses sensitive credentials and may print or persist secrets. In a skill designed for broad operational control over a media stack, normalizing credential extraction without strong disclosure increases the risk of accidental secret exposure in terminal logs, chat transcripts, screenshots, or stored config files.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The Maintainerr section describes cleanup rules, triggering runs, and exclusions, but does not prominently warn that cleanup workflows can delete or remove media irreversibly depending on downstream configuration. In a media-automation environment, these commands can have destructive effects on a user's library or storage if invoked casually by an agent.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The request-management commands include approval and denial actions that change Overseerr request state for potentially multiple users, but the documentation does not clearly warn that these are write operations affecting shared service workflows. This can lead an agent to approve or deny requests without sufficiently explicit user intent, causing administrative or social impact in shared environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide explicitly shows commands to retrieve or expose the Radarr API key from config files and initialize endpoints, but does not warn users that the key is a credential that must be protected. This creates a realistic risk of credential disclosure through terminal history, screenshots, shared notes, or copied support output, enabling unauthorized API access to the media stack.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The help section instructs users to collect and share logs, system status, queue output, and compose configuration without warning that these artifacts may contain API keys, hostnames, internal IPs, filesystem paths, usernames, and other sensitive operational data. In practice, users often paste such data into public forums or tickets, causing unintentional information disclosure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The prompt guidance suggests destructive actions such as removing media items without any confirmation, dry-run, or warning language. In an agent setting, this increases the chance that a natural-language request is translated into irreversible state changes or data loss from an overly broad or mistaken instruction.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The bulk approval workflow encourages looping over all pending requests and approving them en masse without any guardrails. This can let an agent perform large-scale unauthorized or unintended content additions, consuming storage, bandwidth, and potentially violating user policy with a single prompt.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The service discovery prompt instructs scanning a host without any caution about authorization, privacy, or sensitivity of discovered services. In an agent context, this can normalize network enumeration against arbitrary targets and expose internal infrastructure details if used on the wrong host.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The initial setup workflow implies guided setup against a host IP but does not warn that it may modify configuration, probe services, or require elevated access. This creates risk that an agent could make broad configuration changes to the wrong host or expose credentials and service topology during setup.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide explicitly instructs users to extract API keys and Plex tokens from service endpoints and config files, then save them in a plaintext environment file for reuse. These credentials provide broad control over media-management services and could be exposed through shell history, backups, shared home directories, screenshots, or accidental commits.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The guide promotes automatic Trakt-to-Radarr/Sonarr additions and notes that Radarr downloads them automatically, but it does not lead with a clear safety warning that this changes library state and can trigger unattended downloads. In this skill context, that can cause unexpected media acquisition, storage consumption, and unintended operational changes on a self-hosted stack.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script exposes personally sensitive media-consumption data such as watch history, current activity, and per-user statistics directly to whoever can run it, with no consent prompt, access control, or privacy warning. In a shared admin or agent environment, this can leak user behavior, schedules, and preferences, which may be sensitive even if the underlying media stack is self-hosted.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script sends Tautulli and Plex credentials over plaintext HTTP and embeds the Tautulli API key in the URL query string, which increases exposure via network interception, proxy logs, shell history, and application logging. Because these credentials grant access to media server data and administrative APIs, compromise could enable unauthorized monitoring or control of the media stack.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script fetches titles, activity, history, usernames, and queue data from multiple authenticated services and injects those values directly into HTML without output encoding. If any upstream metadata contains HTML or script payloads, opening the generated dashboard in a browser could trigger stored/local XSS, exposing viewing history and possibly local browser context. The media-management context increases risk because these fields often originate from external indexers or media metadata sources.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script sends the SABnzbd API key as a query parameter over plain HTTP, which exposes the credential to interception by anyone with network visibility and may also leak it via logs, proxies, shell history, or diagnostics. Because this skill manages self-hosted media infrastructure and performs control actions like pause/resume and queue inspection, a stolen key could allow unauthorized access to download operations and related service data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script sends search terms, management commands, and API-key-authenticated requests to a remote service without any explicit disclosure or transport safeguards, and the constructed URL uses plain HTTP. In a self-hosted media-management context this can expose library contents, user queries, and administrative actions to interception or unintended hosts if the environment is misconfigured.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal