Request media on Overseerr

PassAudited by ClawScan on May 1, 2026.

Overview

This skill appears to do what it says—search and request media in Overseerr—but it needs your Overseerr API key and can create requests in your account.

This looks safe for its stated purpose if you want the agent to request media in your Overseerr instance. Before using it, configure the API key carefully, keep it secret, and be aware that successful requests may trigger your normal Sonarr/Radarr media workflow.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

A user request can result in a new Overseerr media request, which may then be handled by Sonarr or Radarr depending on the user's setup.

Why it was flagged

The skill instructs the agent to make a POST request that creates a media request in Overseerr. This is exactly the skill's purpose, but it is a real account mutation users should be aware of.

Skill content

POST:
$OVERSEERR_URL/api/v1/request

Movie JSON:
{
  "mediaType": "movie",
  "mediaId": <tmdbId>
}

Recommendation

Use it only when you intend the agent to submit a media request, and review ambiguous matches before approving or letting the workflow continue.

Low

#ASI03: Identity and Privilege Abuse

What this means

Anyone or any agent flow with access to the configured API key could submit Overseerr requests under that credential's permissions.

Why it was flagged

The skill requires an Overseerr API key and uses it for authenticated API calls. This is expected for an Overseerr integration, but it gives the agent delegated authority to act on that service.

Skill content

Environment variables:
- OVERSEERR_URL (example: https://overseerr.yourdomain.com)
- OVERSEERR_API_KEY

Authentication header:
- X-Api-Key: $OVERSEERR_API_KEY

Recommendation

Store the API key securely, use the least-privileged Overseerr key available, and rotate it if you suspect it was exposed.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

A user relying only on metadata might not realize before opening SKILL.md that setup requires an Overseerr URL and API key.

Why it was flagged

The registry metadata does not declare the environment variables or credential that SKILL.md requires. This is notice-level because the credential use is disclosed in the instructions and is aligned with the skill's purpose.

Skill content

Required env vars: none
Env var declarations: none
Primary credential: none

Recommendation

Update the metadata to declare OVERSEERR_URL and OVERSEERR_API_KEY so the credential requirement is visible before installation.