put.io (kaput CLI)
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill should treat the local kaput token as sensitive because it can authorize actions on their put.io account.
The skill requires put.io account authentication and uses a locally stored token. This is purpose-aligned and disclosed, but it grants access to the user's put.io account.
The CLI completes and stores a token locally.
Use the device-code login as documented, do not paste passwords or tokens into chat, and revoke or remove the kaput token if you no longer want the CLI to access your account.
Running this command can add content to the user's put.io transfers and may consume account storage, bandwidth, or quota.
The script submits a user-provided magnet, torrent URL, or direct URL to the put.io account. This directly matches the skill's purpose, but it is an account-mutating action.
"$KAPUT" transfers add "$URL"
Only add transfers when the user explicitly asks for that URL or magnet, and review the URL before submitting it.
The safety of account operations also depends on the external kaput-cli package the user installs.
The skill depends on installing an external, unofficial CLI package. This is disclosed and central to the skill, but the artifacts do not pin a version or provide a reviewed copy of that dependency.
This skill uses the unofficial **kaput** CLI ... cargo install kaput-cli
Install kaput-cli only from a source you trust, consider pinning or reviewing the package version, and keep it updated according to the package maintainer's guidance.