Request media on Overseerr
v1.0.0Request movies or TV shows on Overseerr by title and optional season, checking availability before forwarding the request to Sonarr or Radarr.
⭐ 2· 1.5k·4 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md purpose (requesting media via an Overseerr instance) is coherent with the required actions (search and POST to Overseerr). However, the registry metadata for the skill declares no required environment variables or primary credential, while the SKILL.md explicitly requires OVERSEERR_URL and OVERSEERR_API_KEY. That mismatch is problematic: the skill needs those values to function but they aren't declared in the manifest.
Instruction Scope
The runtime instructions are narrowly scoped to searching Overseerr and creating requests via the Overseerr API; they do not ask the agent to read unrelated files or other environment variables. Note: there is a minor bug/duplication in the TV (season 2) POST example where the request URL is duplicated in the curl sample.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code, so nothing is written to disk and no third-party packages are fetched. That reduces installation risk.
Credentials
The SKILL.md requires two environment values (OVERSEERR_URL and OVERSEERR_API_KEY), which are appropriate and proportionate for the stated purpose. However, the skill manifest did not declare them or a primary credential; that omission is a metadata inconsistency. Also, the API key is sensitive because it allows actions against your Overseerr instance (which in turn triggers Sonarr/Radarr), so the key should be treated carefully.
Persistence & Privilege
The skill does not request always:true and is not attempting to modify other skills or system configuration. Autonomous invocation is allowed (default), which is normal for skills, but combined with a sensitive API key it increases potential impact if the skill were malicious.
What to consider before installing
This skill appears to do what it says (ask your Overseerr instance to request movies/TV), but the package metadata is incomplete and the source/homepage is missing. Before installing: 1) Treat OVERSEERR_API_KEY as sensitive — only provide it to code you trust. 2) Prefer a scoped/rotatable API key or a test instance; if Overseerr can issue limited-scope keys, use one. 3) Ask the publisher to update the manifest to declare OVERSEERR_URL and OVERSEERR_API_KEY (and set primaryEnv) and to publish a homepage/source so you can verify who maintains it. 4) Note that the skill can run autonomously by default; that combined with a valid API key lets it create requests on your Overseerr instance, so consider whether you trust automatic requests. 5) The skill is instruction-only (no installers), lowering installation risk, but the metadata inconsistencies are the primary reason to treat this as suspicious rather than benign.Like a lobster shell, security has layers — review code before you run it.
latestvk97cccnba7bwnkazejds6hhjbx7zyw0h
License
MIT-0
Free to use, modify, and redistribute. No attribution required.