ClawHub

arr-all

Security checks across malware telemetry and agentic risk

Overview

This is a coherent media-server control skill, but it can change or remove items from configured Radarr, Sonarr, and Lidarr libraries.

Install only if you are comfortable giving an agent API access to your Radarr, Sonarr, and Lidarr instances. Keep the credential file private, verify the configured URLs point to your own services, and require explicit user confirmation before any remove command, especially when --delete-files is involved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documented `remove <id> [--delete-files]` command exposes a destructive operation, including optional file deletion, without any warning about permanence, scope, or confirmation safeguards. In a media-management context this could lead to accidental deletion of media libraries or associated files if a user invokes the command incorrectly or an agent uses it unsafely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The deletion path issues a direct DELETE request for an artist, optionally with file deletion, without any confirmation, dry-run, or secondary safety check in this function. In a CLI skill that manages media libraries, accidental invocation, argument mixups between external/internal IDs, or automation misuse could permanently remove library entries and possibly media files.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The delete operation issues a Radarr API DELETE request immediately based on the provided tmdbId and deleteFiles flag, with no confirmation prompt, dry-run, or secondary validation of the resolved title before removal. In this skill context, the function manages a real media library, so a mistaken ID, bad automation input, or prompt-injection-driven tool invocation could remove entries and optionally delete files, causing irreversible data loss.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The removal function issues a Sonarr DELETE request immediately, and can optionally delete files, without any confirmation prompt, dry-run, or explicit warning at the point of action. In a media-management CLI, a mistyped TVDB ID, scripting error, or accidental invocation could remove library entries and potentially erase media files, making this a real safety issue even if it is not a code-execution flaw.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal