radarr
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill uses strong instructional markers to ensure the agent prioritizes the tool for relevant tasks.\n
- Evidence: Found in SKILL.md with headers like '⚠️ MANDATORY SKILL INVOCATION ⚠️' and explicit instructions that failure to invoke the skill violates operational requirements.\n- [PROMPT_INJECTION]: The skill processes untrusted metadata such as movie titles and overviews sourced from TMDB via the Radarr API, which presents a surface for indirect prompt injection.\n
- Ingestion points: Movie search results and existence checks in scripts/radarr.sh.\n
- Boundary markers: The script returns data to the agent without specific delimiters or instructions to ignore embedded commands.\n
- Capability inventory: Includes capabilities to add/remove movies and delete files via the radarr.sh script.\n
- Sanitization: Input to the API is URI-encoded via jq, but output from the API is not sanitized for malicious natural language instructions before being processed by the LLM.\n- [COMMAND_EXECUTION]: The skill provides the ability to delete media files from the server's file system through the Radarr API.\n
- Evidence: The remove command in scripts/radarr.sh can be executed with the --delete-files flag, which triggers the Radarr API's file deletion parameter.\n- [SAFE]: The skill communicates with Radarr and TMDB using standard API methods and follows established patterns for credential management in the homelab environment.\n
- Evidence: Credentials are loaded via a specialized helper script (load-env.sh), and all external network calls are directed to user-configured or well-known service endpoints.
Audit Metadata