Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ClawARR Suite
v1.0.1Comprehensive management for self-hosted media stacks (Sonarr, Radarr, Lidarr, Readarr, Prowlarr, Bazarr, Overseerr, Plex, Tautulli, SABnzbd, Recyclarr, Unpa...
⭐ 4· 979·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the included scripts and reference docs (numerous scripts for Sonarr/Radarr/Plex/Tautulli/etc.). However, the SKILL/README repeatedly reference Docker and SSH operations (docker exec, docker restart, docker-compose, SSH-based companion service access), and companion containers (kometa, recyclarr, unpackerr) — yet the registry metadata's required binaries list only includes bash, curl, jq, bc, sed. Docker, ssh, and related tooling are plausibly required for many documented workflows but are not declared, which is an incoherence between stated purpose and declared dependencies.
Instruction Scope
SKILL.md and README instruct the agent to run many scripts (setup.sh, discover.sh, status.sh, diagnose.sh, manage.sh, etc.). The docs explicitly describe auto-discovery and 'grabs API keys' behavior and show commands that read container config files (e.g., cat /config/config.xml, curl initialize.js) and run docker commands. That implies the scripts will read local configuration and may execute docker/ssh commands against the host — actions that go beyond simple API calls and require privileged access to local hosts/containers. The SKILL.md claims 'local-first' ops and 'no telemetry', but the runtime instructions give the agent broad discretion to probe the LAN, inspect service configs, and run container/SSH commands; that scope should have been declared explicitly.
Install Mechanism
No install spec is provided (instruction-only in registry), but the skill bundle does include 24 bash scripts and many reference docs. Because the skill ships scripts (not just prose), those files will be available to the agent at runtime; there is no automated install/downloader in the registry metadata. This is lower risk than executing an arbitrary downloaded archive, but it means you should review included scripts before executing them on a live system.
Credentials
Registry metadata declares no required environment variables, but README/SKILL.md document many API tokens/credentials (SONARR_KEY, RADARR_KEY, PLEX_TOKEN, TAUTULLI_KEY, PROWLARR_KEY, TRAKT_CLIENT_ID/SECRET, SSH host envs, UNPACKERR envs, etc.). The skill will expect and use secrets but did not declare them in the registry manifest. That mismatch makes it unclear what secrets the skill will read and from where (env vs. config files), and raises a risk that the agent may attempt to access tokens or config locations the user did not intend to expose.
Persistence & Privilege
The skill does not request 'always: true' and keeps default autonomous invocation (disable-model-invocation: false). It documents destructive actions as 'opt-in' (remove/delete commands require explicit invocation). That is reasonable for an operations skill, but because the scripts can run docker/ssh and perform deletions (e.g., Maintainerr delete rules, delete via Radarr/Sonarr API), users should be explicit about when the agent is allowed to run those commands. Consider restricting autonomous invocation unless you trust the skill and have audited the scripts.
Scan Findings in Context
[clawhub-automated-flag] expected: README mentions ClawHub's automated scanner flagged the repo for patterns like bash eval, WebRTC for LAN discovery, and Docker commands. Those patterns are expected for a comprehensive media-stack management tool, so the flag could be a false positive — but the presence of those patterns is real and worth manual review.
[pre-scan-injection-signals] expected: The provided registry metadata reports 'Pre-scan injection signals: None detected.' This is consistent with the repo being primarily bash scripts and docs, but it does not eliminate the need to inspect scripts that read local service configs or run docker/ssh.
What to consider before installing
This skill appears to implement exactly what it claims (deep management of *arr media stacks) but has important mismatches you should review before installing:
- Inspect the scripts (start with scripts/setup.sh, discover.sh, diagnose.sh, manage.sh, and maintainerr.sh). Look for commands that call docker, docker-compose, ssh, curl to external hosts, or read files like /config/config.xml or initialize.js. These indicate the skill will access container configs and may require host-level access.
- Expect to provide many secrets: Plex/Tautulli/Radarr/Sonarr API keys, Trakt/Simkl client secrets, and possibly SSH access to your NAS. The registry metadata did not declare these env vars; supply them only after auditing the scripts and understanding where they are used/stored.
- Because the skill performs potentially destructive operations (library deletions, container restarts, file removals) ensure you:
- Backup important data first.
- Run the skill in a safe/non-production environment to test behavior.
- Limit the agent's ability to invoke the skill autonomously if you do not want it taking actions without explicit approval.
- If you plan to run the scripts on a machine lacking docker/ssh, the scripts may fail or attempt alternate flows; the absence of docker/ssh from the declared requirements is an incoherence — add those tools or correct the manifest.
- If you are not comfortable auditing shell scripts yourself, ask a knowledgeable administrator to review for any unexpected network exfiltration (curl to remote domains), eval/exec usage, or secrets being written to remote endpoints.
Overall: do not deploy this skill with unattended privileges until you (or someone you trust) have reviewed the scripts and provided only the minimal secrets and access needed for the features you intend to use.Like a lobster shell, security has layers — review code before you run it.
latestvk97acf5jn411m0x5h1h0wwyw1x81b91b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsbash, curl, jq, bc, sed