ClawHub

nzbget

v1.0.1

Check NZBGet download status and queue information. Use when the user asks about NZBGet downloads, wants to know how many things are downloading, check download speed, view the queue, or get a full status report of their Usenet downloads.

3· 1.9k·0 current·0 all-time
byRob McClellan@aricus
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (query NZBGet status) matches the script behavior. However, the registry metadata lists no required environment variables or binaries, while SKILL.md and scripts/check_nzbget.sh require NZBGET_USER, NZBGET_PASS, NZBGET_HOST and depend on curl, jq, and bc. This metadata mismatch is an incoherence that should be corrected.
!
Instruction Scope
The SKILL.md instructs the agent to run scripts/check_nzbget.sh which only queries the NZBGet JSON-RPC API and outputs results — scope is appropriate. However, the script constructs an HTTP URL that embeds credentials (http://user:pass@host/jsonrpc), which can expose credentials in transit and to local process listings, and the hardcoded 'http://' scheme sends credentials in plaintext over the network. These are notable security concerns beyond simple querying.
Install Mechanism
There is no install spec — the skill is instruction/code-only. No downloads or archive extraction occur. That reduces install-time risk. The script being present means it will be executed by the agent, but no external installer is invoked.
!
Credentials
Requesting NZBGET_USER, NZBGET_PASS, and NZBGET_HOST is proportionate to the stated function, but the manifest incorrectly lists no required env vars. Also, credentials are used in a way that may leak them (embedded in URL and sent over HTTP). The script also requires external binaries (curl, jq, bc) which are not declared in metadata; missing declarations reduce transparency and complicate safe deployment.
Persistence & Privilege
The skill does not request persistent presence (always: false), does not modify other skills or system-wide config, and does not claim to store tokens. No elevated persistence or privilege escalation is requested.
What to consider before installing
This skill looks like it really queries NZBGet, but there are some mismatches and security details you should address before installing: (1) The registry metadata does not declare the required environment variables (NZBGET_USER, NZBGET_PASS, NZBGET_HOST) nor required binaries (curl, jq, bc) — require the publisher to correct the manifest. (2) The script embeds credentials in the URL and uses http://, which can expose your NZBGet credentials to network eavesdroppers and potentially other local users (process lists). Prefer HTTPS and use curl --user or a header-based auth to avoid credentials in the URL. (3) Ensure the agent runs the script in a trusted, isolated environment and that the NZBGet host is reachable over TLS. If you need help hardening it, ask the publisher to update the script to use HTTPS by default (or a configurable scheme), avoid putting creds in the URL, and document the prerequisites.

Like a lobster shell, security has layers — review code before you run it.

latestvk975khdh0ccnax4p86pzf34dgn80c2t5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments