ClawHub

Prowlarr

v1.0.0

Search indexers and manage Prowlarr. Use when the user asks to "search for a torrent", "search indexers", "find a release", "check indexer status", "list indexers", "prowlarr search", "sync indexers", or mentions Prowlarr/indexer management.

1· 2k·14 current·14 all-time
by@jmagar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the code: the script talks to a Prowlarr API and supports searches, indexer management, and syncs. However, the registry metadata lists no required config paths or env vars while SKILL.md and the script both require a config file (~/.clawdbot/credentials/prowlarr/config.json) or PROWLARR_URL/PROWLARR_API_KEY — this mismatch is an inconsistency.
Instruction Scope
SKILL.md explicitly instructs creating/reading a credentials file and gives CLI examples that run the included script. The runtime instructions stay within the stated purpose (only call the Prowlarr API). They do, however, direct the agent/user to read/create a specific config path that was not declared in metadata.
Install Mechanism
There is no install step or external download; this is an instruction-only skill with an included bash helper. No third-party packages are fetched at install time, which reduces supply-chain risk.
Credentials
The only secret needed is the Prowlarr API key (provided via config file or PROWLARR_API_KEY), which is appropriate for the stated functionality. However, the registry metadata declared no required env vars or config paths even though the skill clearly needs them. Also the script requires curl and jq, but the metadata lists no required binaries.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It simply reads a local credentials file or environment variables and makes API calls to the configured Prowlarr URL.
What to consider before installing
This skill's code matches its description: it calls a Prowlarr instance using a URL and API key. However, the package metadata omits the config file path and required tools (curl, jq) that the script uses. Before installing: 1) review the included scripts yourself (they are present and readable) to confirm behavior; 2) only provide an API key for a Prowlarr instance you trust and prefer using environment variables with restricted file permissions if you store a config file (~/.clawdbot/credentials/prowlarr/config.json should be readable only by you); 3) ensure curl and jq are available on the agent runtime; 4) confirm the PROWLARR_URL points to an internal/trusted host (the script will send the API key to that URL); 5) ask the publisher to update metadata to list required config paths and binaries so the skill's declared requirements match what it actually needs. These inconsistencies are likely sloppy packaging rather than malicious, but verify before granting access to your Prowlarr API key.

Like a lobster shell, security has layers — review code before you run it.

latestvk975t37q3tcg1xrx6gjfatkxm17zrchz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments