ClawARR Suite
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: clawarr-suite Version: 1.0.1 The OpenClaw AgentSkills skill bundle is classified as 'suspicious' due to its extensive use of powerful system commands (`docker exec`, `ssh`, `pip install`) and direct interaction with local network services and user-configured hosts. While these capabilities are plausible and necessary for managing a self-hosted media stack, they introduce significant vulnerability risks. Specifically, the scripts `kometa.sh`, `recyclarr.sh`, and `unpackerr.sh` execute commands via `docker exec` or `ssh` using arguments derived from environment variables (`DOCKER_HOST_SSH`, `DOCKER_CMD`) and potentially user-controlled input. This pattern, if exploited through prompt injection or a compromised environment, could lead to Remote Code Execution (RCE) on the host system. Additionally, `scripts/trakt.sh` offers to `pip install --user traktarr` and `retraktarr`, introducing external software dependencies. There is no clear evidence of intentional malicious behavior (e.g., data exfiltration to unauthorized endpoints, backdoors, or stealth), and the `SKILL.md` explicitly claims to avoid telemetry and destructive actions without explicit user command, which is generally supported by the code's logic. The 'suspicious' classification reflects the high-risk capabilities and potential for exploitation, rather than proven malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Sonarr/Radarr/Plex/Tautulli/SABnzbd and related service credentials could be exposed to the agent session or logs during setup.
The setup flow explicitly extracts and prints service API keys. That is purpose-aligned, but high-impact because those keys can control media services and may be exposed in terminal/chat logs unless redaction and storage behavior are clear.
This auto-discovers services, extracts API keys, verifies connections, and outputs your config.
Run setup manually if possible, avoid pasting secrets into shared chats, review generated config before storing it, and rotate any keys that may have been exposed.
A user may underestimate when viewing history, ratings, watchlists, or library information could be sent to external tracker services.
The privacy claim is ambiguous because the same skill documents third-party tracker syncing of watch activity. Even if user-directed, the artifacts should clearly distinguish no hidden telemetry from intentional third-party sharing.
No telemetry/exfiltration paths: scripts do not transmit credentials or library data to third-party endpoints. ... Track and sync what you watch across services like Trakt.tv, Letterboxd, Simkl
Treat tracker sync as third-party data sharing; only enable it when you understand which data is sent and under which account.
Using this workflow may automate access to protected third-party sites in ways they do not permit.
The documentation explicitly describes bypassing Cloudflare/bot-protection for indexers. This is not hidden, but it is materially risky and may violate third-party service rules.
FlareSolverr — Cloudflare Bypass ... Proxy that solves Cloudflare challenges. Some indexers use Cloudflare protection that blocks automated access. ... It auto-handles challenges.
Avoid enabling FlareSolverr or similar bypass tooling unless you have a legitimate, permitted use and understand the legal and account risks.
Mistaken prompts or agent choices could add unwanted media, approve requests, pause downloads, or remove items.
Broad mutation authority is central to the stated purpose and is disclosed, but it can change downloads, requests, libraries, and service state.
gives your AI assistant full operational control over your entire *arr media stack ... Content Management | Add/remove movies & series ... Request Handling | Overseerr approval workflows, stats, bulk actions
Ask the agent to preview planned changes before approving actions that add, remove, approve, deny, pause, resume, or clean up content.
Your viewing activity, ratings, watchlists, or library-derived information may be shared with third-party tracker accounts.
The skill integrates with external tracker providers and can move viewing-history and account data between services. This is disclosed and purpose-aligned, but privacy-sensitive.
Sync my Plex watch history to Trakt ... Trakt.tv | Auth, history, ratings, watchlists, scrobbling, discovery, sync
Use tracker sync only for accounts you trust, and verify which direction each sync/export/import command uses before running it.
If configured, the agent may be able to run operational commands against your NAS or Docker host.
The skill is bash-script based and documents optional SSH-based control of companion services. This is expected for the media-management purpose, but it expands impact from local API calls to remote server operations.
SSH access for Docker-based companion services ... export RECYCLARR_SSH=mynas ... export KOMETA_SSH=mynas ... export UNPACKERR_SSH=mynas
Use a limited SSH account where possible, review commands before remote execution, and avoid configuring SSH access unless you need those companion-service workflows.