put.io (kaput CLI)
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: putio Version: 1.0.0 The skill bundle is benign. It clearly defines its purpose to manage put.io via the `kaput-cli` tool. All scripts directly invoke the `kaput` CLI with arguments, without any evidence of data exfiltration, malicious execution (e.g., `curl|bash`, `eval`), persistence mechanisms, or obfuscation. The `SKILL.md` instructions are straightforward, do not contain prompt injection attempts, and even include security notes advising against pasting passwords or sharing debug logs. The installation of `kaput-cli` via `cargo install` is a standard method for Rust tools and is explicitly stated.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill should treat the local kaput token as sensitive because it can authorize actions on their put.io account.
The skill requires put.io account authentication and uses a locally stored token. This is purpose-aligned and disclosed, but it grants access to the user's put.io account.
The CLI completes and stores a token locally.
Use the device-code login as documented, do not paste passwords or tokens into chat, and revoke or remove the kaput token if you no longer want the CLI to access your account.
Running this command can add content to the user's put.io transfers and may consume account storage, bandwidth, or quota.
The script submits a user-provided magnet, torrent URL, or direct URL to the put.io account. This directly matches the skill's purpose, but it is an account-mutating action.
"$KAPUT" transfers add "$URL"
Only add transfers when the user explicitly asks for that URL or magnet, and review the URL before submitting it.
The safety of account operations also depends on the external kaput-cli package the user installs.
The skill depends on installing an external, unofficial CLI package. This is disclosed and central to the skill, but the artifacts do not pin a version or provide a reviewed copy of that dependency.
This skill uses the unofficial **kaput** CLI ... cargo install kaput-cli
Install kaput-cli only from a source you trust, consider pinning or reviewing the package version, and keep it updated according to the package maintainer's guidance.