High-risk tools in Homelab
27 of the 126 tools in Homelab are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
adguard_toggle_protectionExecuteEnable or disable AdGuard Home DNS filtering protection.
-
bazarr_download_subtitleExecuteTrigger a manual subtitle download for a specific movie or episode in Bazarr.
-
container_check_updatesExecutePull latest images for all running containers on the devbox and report which have updates available.
-
container_updateExecuteUpdate a specific container on the devbox: pull the latest image and restart it. If project_dir is provided, uses docker compose pull + up instead.
-
devbox_docker_composeExecuteRun docker compose up/down/restart/pull/logs for a project on the devbox.
-
devbox_execExecuteExecute a shell command on the devbox via SSH. Dangerous commands are blocked.
-
devbox_gitExecuteRun git status, pull, log, or clone on the devbox.
-
devbox_project_deployExecuteDeploy a project: git pull, docker compose pull, docker compose up -d, then show status.
-
homelab_setupExecuteAI-guided setup wizard for homelab-mcp.
-
media_restartExecuteRestart a media service container on the devbox.
-
plex_refresh_libraryExecuteTrigger a Plex library scan to pick up newly added files.
-
prometheus_queryExecuteRun an arbitrary PromQL query against Prometheus. Use for ad-hoc metrics: container CPU/RAM, disk trends, network IO, etc.
-
prowlarr_sync_appsExecuteForce Prowlarr to sync all indexers to connected apps (Radarr, Sonarr). Use after adding a new indexer.
-
prowlarr_test_indexersExecuteTest all indexers (or a specific one) in Prowlarr to verify they are working.
-
proxmox_create_ctExecuteCreate a new Debian 12 LXC container on the Proxmox node.
-
proxmox_execExecuteExecute a shell command on the Proxmox host via SSH. Use for disk operations and host-level administration. Destructive commands are blocked.
-
proxmox_restart_vmExecuteRestart a VM or LXC container by its VMID.
-
proxmox_start_vmExecuteStart a VM or LXC container by its VMID.
-
proxmox_stop_vmExecuteStop (graceful shutdown) a VM or LXC container by its VMID.
-
radarr_force_searchExecuteForce Radarr to search all indexers for a specific movie already in the library.
-
radarr_grab_releaseExecuteGrab a specific release by its GUID (from radarr_interactive_search) and send it to the download client.
-
sabnzbd_pause_queueExecutePause the SABnzbd download queue.
-
sabnzbd_resume_queueExecuteResume the SABnzbd download queue.
-
sonarr_force_searchExecuteForce Sonarr to search all indexers for missing episodes of a series.
-
sonarr_grab_releaseExecuteGrab a specific release by its GUID (from sonarr_interactive_search) and send it to the download client.
-
sonarr_season_searchExecuteSearch for a specific season of a series in Sonarr.
-
wol_sendExecuteSend a Wake-on-LAN magic packet to wake a machine by its MAC address. Requires wakeonlan or etherwake on the devbox.
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.