nzbget
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: nzbget Version: 1.0.1 The skill bundle is designed to check NZBGet download status and queue information. It uses environment variables (NZBGET_USER, NZBGET_PASS, NZBGET_HOST) to authenticate and connect to a user-defined NZBGet instance via its JSON-RPC API using `curl`. The `SKILL.md` provides clear instructions for the agent without any prompt injection attempts. The `scripts/check_nzbget.sh` script uses standard tools (`curl`, `jq`, `bc`) to retrieve and parse status information, and there is no evidence of data exfiltration, malicious execution, persistence mechanisms, or other harmful behaviors beyond its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can read and display NZBGet status and queue names using your NZBGet credentials; if the configured host is not trusted or protected, those credentials could be exposed.
The script requires NZBGet host, username, and password environment variables and embeds them into the JSON-RPC URL. This is purpose-aligned for checking NZBGet, but it is credentialed account access.
HOST="${NZBGET_HOST:-}" ... PASS="${NZBGET_PASS:-}" ... URL="http://${USER}:${PASS}@${HOST}/jsonrpc"Use credentials only for a trusted NZBGet instance, prefer localhost or a protected HTTPS/reverse-proxy setup for remote access, and avoid sharing broad NZBGet credentials unnecessarily.
The skill may fail unless tools such as bash, curl, jq, and bc are available, and users may not notice the credential requirement from metadata alone.
The registry metadata provides limited provenance and does not declare the environment variables or command-line tools that the included script uses. This is an incomplete setup/capability declaration rather than evidence of hidden malicious behavior.
Source: unknown; Homepage: none; Required binaries (all must exist): none; Env var declarations: none; No install spec — this is an instruction-only skill.
Review the included script before use, ensure the needed local tools are installed, and update metadata to declare the NZBGET_USER, NZBGET_PASS, NZBGET_HOST variables and command dependencies.