Oathe Security Badge

Is aplaceforallmystuff/mcp-arr safe?

https://github.com/aplaceforallmystuff/mcp-arr

94
SAFE

This is a legitimate MCP server for managing *arr media management applications (Sonarr, Radarr, Lidarr, Readarr, Prowlarr). The code is professionally written TypeScript with standard MCP SDK usage and no malicious behavior detected. Some sensitive file access occurred during installation but appears to be normal system behavior rather than skill-related exfiltration.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (3)

LOW Sensitive file access during installation -10

The installation process accessed sensitive files like .env, SSH keys, and cloud credentials. However, this appears to be system-level access during normal installation procedures rather than malicious behavior by the skill itself.

INFO Media management complexity -10

This skill provides comprehensive access to *arr media management services which are powerful tools that can significantly impact a user's media library configuration. Users should ensure they understand the implications of the operations they request.

INFO Standard MCP server implementation -5

The skill is implemented as a standard MCP server using TypeScript with appropriate dependencies and no suspicious execution patterns detected.