ClawHub

put.io (kaput CLI)

v1.0.0

Manage a put.io account via the kaput CLI (transfers, files, search) — hoist the mainsail, add magnets/URLs, and check transfer status; best paired with the chill-institute skill.

1· 1.7k·0 current·0 all-time
byAanish Bhirud@baanish
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included scripts and SKILL.md. All requested actions (list/add transfers, search files, check auth) are implemented by simple wrappers that call the kaput CLI. No unrelated capabilities, binaries, or env vars are requested.
Instruction Scope
SKILL.md instructs installing kaput via cargo and using its device-code login flow. Runtime scripts only call kaput (or respect KAPUT_BIN) and do not read unrelated files, environment variables, or exfiltrate data. The README warns about token safety and not pasting passwords.
Install Mechanism
There is no automatic install spec in the skill bundle; the user is told to run 'cargo install kaput-cli'. That is a reasonable, proportional instruction for an unofficial Rust CLI. The skill itself does not download code from arbitrary URLs or extract archives.
Credentials
The skill declares no required env vars or credentials. Scripts optionally honor KAPUT_BIN to override the binary location, which is appropriate and minimal. Authentication is performed by the kaput CLI using the device-code flow and stored locally by the CLI (not by the skill).
Persistence & Privilege
always is false and the skill doesn't request system-wide changes or modify other skills. It does not embed persistent installers or self-enable. Runtime actions are limited to invoking the kaput CLI.
Assessment
This skill is a thin, coherent wrapper around the kaput CLI and appears low-risk, but take these precautions before installing/using it: - Verify the kaput-cli package/source before running 'cargo install' (crates.io packages are arbitrary code that will be compiled/run on your machine). Prefer installing from a trusted repository or review its source. The SKILL.md calls kaput 'unofficial'. - Use the kaput device-code login flow as instructed; do not paste credentials into chat. Treat the CLI's token file as sensitive and keep it private (the CLI stores it locally). - Be aware that any command that adds transfers will cause put.io to fetch content specified by URLs/magnets you supply; only add URLs you trust. The skill can run these commands autonomously if the agent is allowed to invoke skills, so restrict agent autonomy if you don't want it creating transfers without your review. - If you want stronger isolation, run kaput in a controlled environment (local user account or container) rather than on a shared machine. Overall, the skill's behavior and requirements match its stated purpose; the remaining risk is the normal risk of installing and running an external CLI (verify the CLI itself).

Like a lobster shell, security has layers — review code before you run it.

latestvk9718646h4w6337kbvk8efyg2d7ztx3m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments