ClawHub

Torrent Downloader

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises, but it can automatically start torrent downloads without showing choices or asking for confirmation.

Install only if you intentionally want an agent to search torrent indexes and control qBittorrent. Before use, change qBittorrent's default credentials, keep the Web UI bound to a trusted local address, and require the agent to show the selected title/source/size/magnet and get explicit approval before adding any download.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (8)

Tainted flow: 'req' from os.environ.get (line 51, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
"""Login and return SID cookie."""
    data = urllib.parse.urlencode({"username": QBT_USER, "password": QBT_PASS}).encode()
    req = urllib.request.Request(f"{QBT_URL}/api/v2/auth/login", data=data)
    resp = urllib.request.urlopen(req, timeout=10)
    for header in resp.headers.get_all("Set-Cookie") or []:
        if "SID=" in header:
            return header.split("SID=")[1].split(";")[0]
Confidence
95% confidence
Finding
resp = urllib.request.urlopen(req, timeout=10)

Tainted flow: 'req' from os.environ.get (line 51, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
data=data,
        headers={"Cookie": f"SID={sid}"},
    )
    resp = urllib.request.urlopen(req, timeout=10)
    body = resp.read().decode()
    return {"status": "ok" if body.strip() == "Ok." else "error", "response": body.strip()}
Confidence
91% confidence
Finding
resp = urllib.request.urlopen(req, timeout=10)

Tainted flow: 'req' from os.environ.get (line 51, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
f"{QBT_URL}/api/v2/torrents/info?sort={sort}&reverse=true&limit={limit}",
        headers={"Cookie": f"SID={sid}"},
    )
    resp = urllib.request.urlopen(req, timeout=10)
    return json.loads(resp.read())
Confidence
90% confidence
Finding
resp = urllib.request.urlopen(req, timeout=10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill performs network access and reads environment-based configuration, but does not declare corresponding permissions or capability requirements. This weakens transparency and policy enforcement, making it easier for a user or platform to invoke a skill that can reach external services and use local credentials without clear disclosure.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list contains broad phrases like "find resources" and generic download-related wording in multiple languages, which can match ordinary user requests beyond an explicit torrenting intent. In this context, accidental activation is more dangerous because the skill can search for magnet links and initiate downloads, potentially involving copyrighted or unsafe content.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to pick the top result and start downloading without showing choices or obtaining user confirmation. This creates a high-risk automation path where the agent can initiate network transfers and store potentially illegal, malicious, or unwanted content on the user's system based on ambiguous or manipulated search results.

Natural-Language Policy Violations

Medium
Confidence
77% confidence
Finding
The scoring and behavior rules hard-code a preference for Chinese subtitles without user opt-in, which overrides user autonomy and can bias selection toward a narrower subset of releases. While not as severe as silent download initiation, this can lead to unexpected content choices and increase the chance of selecting undesirable or lower-trust torrents because of subtitle-related weighting rather than explicit user preference.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script sends the user's search term directly to an external torrent index API, which exposes potentially sensitive user intent to a third party without any explicit notice or consent flow. In the context of a torrent-downloader skill, queries may reveal copyrighted media interests or other private preferences, so this is a real privacy issue even though it is not an exploit-oriented code execution flaw.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal