ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

magnet-search

v2.0.1

搜索电影磁力下载链接。接入真实磁力搜索引擎 API (ThePirateBay, Nyaa等),返回高质量的种子链接。用于合法的个人学习和研究目的。

1· 63·0 current·0 all-time
byLuZhong@beancookie
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (search magnet/torrent links from TPB, Nyaa, etc.) aligns with the code and SKILL.md: the script queries public torrent search APIs and RSS feeds and builds magnet URIs. That capability legitimately requires network access to those sites. However, the SKILL.md claims '自动处理 SSL 证书验证' while the code disables TLS certificate validation (ssl.CERT_NONE), which is inconsistent and risky.
!
Instruction Scope
SKILL.md instructs only to run the script or call the skill, which is consistent with an instruction-only tool. The runtime instructions do not ask for unrelated local files or credentials. However, the Python implementation (included) makes arbitrary outbound HTTP(S) requests to multiple third-party sites and explicitly disables certificate verification, creating a risk of man-in-the-middle interception. Additionally, the provided Python source contains clear syntax/logic issues (malformed r.append call in search_yts and the distributed file appears truncated), indicating it may crash or behave unexpectedly.
Install Mechanism
No install spec is provided (instruction-only), so nothing is automatically written to disk beyond the included script. This is the lower-risk install pattern. The script itself will perform network I/O when run.
Credentials
The skill declares no required environment variables, credentials, or config paths and the SKILL.md does not request secrets. The included code does not appear to read environment credentials. No disproportionate credential access is requested.
Persistence & Privilege
The skill does not request always:true and uses default invocation behavior. There is no evidence it attempts to persistently modify other skills or system-wide agent settings.
Scan Findings in Context
[ssl_verify_disabled] unexpected: The code creates an SSL context with check_hostname = False and verify_mode = ssl.CERT_NONE, disabling certificate verification. This is not necessary for a search-only tool and contradicts the SKILL.md claim of handling SSL verification.
[syntax_or_logic_error] unexpected: The source contains at least one obvious malformed construct (broken r.append(...) block in search_yts) and the file included in the package appears truncated; these are implementation bugs, not expected or desirable for a released skill.
What to consider before installing
This skill is designed to search torrent/magnet sources and network requests to torrent sites are expected. Before installing, consider: (1) Legal: searching/downloading copyrighted torrents may be illegal in your jurisdiction — only use for legitimate content. (2) Security: the script disables TLS verification (MITM risk); do not run it on sensitive networks without fixing that. (3) Code quality: the included Python has clear bugs and may crash or behave unexpectedly. Recommendations: inspect the full, untruncated source; insist the author remove or justify disabled SSL verification (enable proper certificate validation), and fix syntax errors; run the script only in a sandboxed environment; or prefer a maintained/verified alternative from a trusted source.

Like a lobster shell, security has layers — review code before you run it.

latestvk973ec8z8s1c2tjssy5xgmnz7183q0d7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments