Stremio Unwatched
WarnAudited by ClawScan on May 18, 2026.
Overview
The skill mostly matches its Stremio purpose, but its default download path can start real torrent downloads despite documentation claiming dry-run behavior, and its auth script can print a Stremio token.
Review carefully before installing. Use --dry-run, --filter, and --limit before any downloads, avoid running the default download command unless you intend to start real downloads, and treat any printed Stremio auth key as a secret. Only use trusted Stremio addons and consider pinning the GitHub install to a known commit.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the default download command can start multiple downloads, consume bandwidth/storage, and expose torrent activity before the user reviews the episode list.
The default mode is not dry-run, and the script can queue torrents in Stremio or add magnet links to torrent clients without an in-script confirmation step.
DRY_RUN=false ... curl -sf -X POST "${STREMIO_SERVER}/${info_hash}/create" ... transmission-remote -a "$magnet"Make dry-run/preview the default, require an explicit confirmation or --yes flag for real downloads, and encourage filters or limits before downloading.
A user may run the download command expecting only a preview, but the skill may actually start downloads.
This safety claim conflicts with the download script's default real-download behavior, which may lead users or agents to trust the default command more than they should.
- **Dry-run by default** — always preview before downloading
Either change the code to match the dry-run claim or update the documentation to clearly state that --dry-run must be supplied for preview-only behavior.
The Stremio auth token could appear in agent/tool output, logs, or transcripts, giving unintended access to the user's Stremio account data until revoked.
The script stores the Stremio auth token locally with restrictive permissions, but it also prints the auth key to stdout on login/default paths.
save_credentials "$auth_key" "$user_id" "$email" ... chmod 600 "$CRED_FILE" ... echo "$auth_key" ... echo "$key"
Only print the token for an explicit --key mode, keep normal login output redacted, and declare the Stremio credential requirement in metadata.
Installed Stremio addons can learn which episodes are being resolved for download.
To resolve streams, the skill sends requested episode IDs to the user's installed Stremio addon URLs, which may be third-party services.
stream_addons=$(echo "$addons_resp" | jq -r '... .transportUrl ...') ... streams=$(curl -sfL "${addon_base}/stream/series/${video_id}.json"Use only trusted Stremio addons and review the addon list before using the download feature.
Installing later from the repository may fetch code that is not identical to the scanned files.
The install instructions use an unpinned external GitHub clone, so future repository contents could differ from the reviewed artifact set.
git clone https://github.com/pat-industries/stremio-unwatched.git
Pin installation to a reviewed commit or release tag and keep the registry source/homepage metadata accurate.