ClawAudit verdict
stremio-unwatched
A Stremio library manager that authenticates with the Stremio API to track unwatched episodes and optionally syncs to Google Calendar; all network calls are to declared services matching the stated purpose.
⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Permission integrity
network_out
package_install
Findings (5)
apt-get install — installs system packages
SKILL.md · code · apt-get install
Possible hardcoded credential
scripts/stremio_auth.sh · prose · downgraded · password="${STREMIO_PASSWORD:-}
HTTP request to bare IP address — common in malicious payloads
references/stremio_api.md · prose · downgraded · http://127.0.0.1
Base64 encoding/decoding
README.md · prose · downgraded · base64-encode
Sets world-executable permissions
scripts/stremio_auth.sh · prose · downgraded · chmod 700
Permissions & capabilities
No declared permissions — minimal attack surface.
network_outpackage_installnetwork_in Is this flag fair?
Thanks — recorded.