ClawHub

Radarr+

Security checks across malware telemetry and agentic risk

Overview

Radarr+ does what it says: it lets OpenClaw add and track movies in Radarr, with optional movie metadata, poster, Plex-link, and chat notification features.

Install this only for an OpenClaw instance whose users you trust to request movies through your Radarr setup. Keep Radarr/Plex/API secrets private, restrict group-chat access with allowlists, protect the state/radarr directory because it contains chat targets and movie requests, and consider hardening or disabling fetch_asset.py unless poster downloads are needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill documentation describes use of environment secrets, local file reads/writes, shell scripts, and network access, but no permissions are declared in the manifest. This creates a transparency and governance gap: operators and policy layers cannot accurately scope or review what the skill can access, increasing the chance of over-privileged execution and unsafe deployment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The manifest says the skill adds and manages movies in Radarr, but the documentation expands behavior to external metadata retrieval, arbitrary asset downloading, Plex discovery, local state tracking, and outbound notification queuing. This mismatch is dangerous because reviewers and users may authorize the skill for a narrow Radarr use case while it actually handles broader network and local data flows, including writing files and preparing cross-channel messages.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documentation adds a chat progress-tracking and outbox dispatch workflow that is not reflected in the declared skill purpose. This introduces message routing and persistent state behavior that could send notifications to unintended targets or leak media request activity into chats if misconfigured or abused.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill documentation introduces optional integrations with TMDB, OMDb, and Plex plus remote media fetching, none of which are captured in the manifest description. Hidden external integrations increase privacy and SSRF-style risk surface because the skill can contact multiple third-party services and download remote content to local storage beyond the core Radarr workflow.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script accepts an arbitrary URL and an arbitrary output path, then downloads the response body and writes it directly to disk with no allowlist, path restriction, or content validation. In an agent/skill context, this creates a generic fetch-and-write primitive that can be repurposed beyond Radarr poster retrieval, enabling SSRF to internal resources and overwriting files the process can access.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This file performs notification queueing and optional Plex-link generation, which extends beyond the declared Radarr-only management scope. Scope expansion matters because it creates side effects in other channels/systems, increasing the chance of unreviewed data flows, unexpected messaging, or cross-service abuse in an agent environment.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill conditionally uses Plex credentials from the environment to query another service even though the declared capability is Radarr-focused. In an agent context, undeclared cross-service credential use is dangerous because it widens access beyond user expectations and can expose metadata or enable unintended actions against Plex.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The onboarding explicitly states that request progress and final import status are posted back to the same chat, including group chats, while only briefly suggesting allowlists later. This can expose users' media requests, download activity, and viewing interests to other participants in shared chats, creating a privacy leak even if no direct code exploit is involved.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The add subcommand makes authenticated POST requests that modify an external Radarr instance and can immediately trigger downstream download activity, but the script itself provides no confirmation, dry-run mode, or other guardrail before performing those actions. In an agent-skill context, this increases the risk of unintended movie additions or searches from ambiguous prompts, prompt injection, or automation mistakes, even though the code is not overtly malicious.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The helper builds a single shell command string for `bash -lc` by concatenating `args` with spaces, which creates command-injection risk if any argument ever contains shell metacharacters or untrusted input. In a Radarr skill, command arguments may plausibly derive from movie titles, IDs, or other external values, so the skill context makes shell execution more dangerous because media metadata can be attacker-controlled or unexpectedly malformed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal