This is wild and a rather unfortunate situation… Ty for sharing.
As I commented in another thread, I don’t run ‘arr anything, but I’m thankful that there are competent people who can make sense of all the code involved to do a proper audit.
Absolutely, in an optimal world it would be easier to audit software ourselves through tooling, but we’re not there yet. Personally looking to build a pipeline to run apps i wan to host through tools such as:, semgrep, grype and trivy, to at least get somewhat of an overview.
I don’t personally run Huntarr but thank you so much for your amazing work!
Secuarr?
Want to stress that it was not me personally who did this deep dive, its a repost from reddit. So all kudos goes to them!
Thanks you for your thorough analysis and report. Very interesting read. Just doing the basics, as you say, is more than a layman like me can do!
The maintainer says they have “a series of steering documents I generated that does cybersecurity checks and provides additional hardening” and “Note I also work in cybersecurity.”
Yeah, that’s a big no. No one ‘generates’ ‘steering documents’. No one I would take seriously, anyway.
One more thing - the project’s README has a “Support - Building My Daughter’s Future” section soliciting donations.
Yuck.
Want to stress that it was not me personally who did this deep dive, its a repost from reddit. So all kudos goes to them!
My password is huntarr2
Thanks for this.
I’m starting to get worried about how much AI slop is being pushed on top of the venerable arr stack. A few months ago I was evaluating a music solution, and came across a promising solution called Soulsync, only to learn it was vibe coded. Since that fiasco, it looks like there is a new one called Aurral 2.0 with the same issue.
Its a shame since the arr developers are real deal.
Huntarr123?
i know this will hurt feelings but this is just gonna keep happening as long as y’all use GenAI. this is quite literally what it was made for
Gamefreak used an additional hardcoded RSA public key auth in Pokémon Black/White because for some reason they didn’t trust OpenSSL to not fail for their HTTPS API connections, and yet here we are in 2025 with unahtenticated API endpoints.
Was ChatGPT unable to generate swagger docs they could have lazily plugged into an API scanner bruh
Or better yet notice the big fat “unathenticated” label when you look at the endpoint list.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
| Fewer Letters | More Letters |
|---|---|
| HTTP | Hypertext Transfer Protocol, the Web |
| HTTPS | HTTP over SSL |
| SSL | Secure Sockets Layer, for transparent encryption |
[Thread #112 for this comm, first seen 23rd Feb 2026, 23:30] [FAQ] [Full list] [Contact] [Source code]
OP is a GOD
All I see is ********
Thanks for forwarding.
Looks like the repo was deleted: https://github.com/plexguide/Huntarr.io
Huh, swear I’ve seen this somewhereX
The dev also shutdown their subreddit.
Good
Thank you for this. I have seen a few *arr combination projects I wanted to look into; so I may have had come across this one.
It’s unfortunate that the “developer” chose to nope out, instead of fixing it or at least seeking help from the community. This is one of the good aspects of OSS - that we can and should audit ourselves. But if it was all vibe coded, maybe they didn’t know that an audit is good and should be welcomed; instead of rejected and shutdown.
I’ll give you a hint: Originally it was *******.
Wait, let me try again - hunter2
…as long as y’all use GenAI incorrectly.
It has it’s uses i programming. Doing all the coding for you is not one of them.
Hoy shit! What a trainwreck of an app
I already had a feeling from navigating the interface.
Thanks for your work.
If you are willing, I would love to see a blog post, video, or repo of exactly how you conducted this audit. Great read, and would like to learn more of your specific process (beyond the readmes and man pages).
Once again I’m glad that I just search trackers with the browser and download torrents with a torrents client, like a peasant.
I’ll be honest, if ‘arr were my modus operandi, I would most likely take your approach because the alternative would keep me up at night worrying.
Doing all the coding for you is not one of them.
yet. If AI can do anything well, I think it should be writing code, given the formulaic nature of code. We are NOT there yet. But it will one day, no doubt.
This is great thank you for this since the next step on my journey is the ARR stack!
Best lf luck, hit me up if you have any questions regarding it 😊