ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mteam Transmission0.1

v0.1.0

专业的私人影视资源助理,帮助用户从M-Team搜索影视种子并发送到本地Transmission下载,确保观影体验。

0· 286·0 current·0 all-time
by@dengqijun
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description say: search M‑Team and push selected torrents to a local Transmission. The code implements exactly that, but the skill metadata lists no required environment variables or credentials even though main.py and README clearly require an M‑Team API key and Transmission host/username/password. That omission is an incoherence: anyone running this legitimately must provide those secrets, yet the package metadata doesn't declare them.
Instruction Scope
SKILL.md gives a focused runtime flow (search, wait for user selection, download/send to Transmission) and explicitly warns not to print torrent_id. It does not mention credentials, proxies, or local Transmission configuration; runtime code, however, uses network calls, proxies, temp files (/tmp), and Transmission RPC — these actions are within the skill's stated purpose but the instructions are silent about required credentials and network/proxy behavior.
!
Install Mechanism
The repository is instruction-only in the registry (no install spec), but README instructs installing Python dependencies (requests, transmission-rpc). The skill package doesn't declare these dependencies in metadata, so runtime may fail or an operator may install packages blindly. Missing dependency declaration is a deployment/integrity gap.
!
Credentials
main.py expects an MTEAM_API_KEY and Transmission credentials (host/port/user/password) but the skill metadata declared no required env vars. The code also contains hardcoded placeholder/default values (MTEAM_API_KEY placeholder string, TRANS_HOST 10.1.1.10, TRANS_PASS 'password') and a default local proxy configuration. Requiring credentials to access both a private tracker API and a local service is appropriate for purpose, but omitting these from metadata and shipping plaintext placeholders increases risk (accidental credential embedding, unclear expectations).
Persistence & Privilege
always is false and the skill does not request special platform privileges. It does perform network I/O to external API and connect to a local Transmission instance, which is expected for its function. It does not attempt to modify other skills or system-wide configuration.
Scan Findings in Context
[network_call_requests] expected: The code issues POST/GET requests to https://api.m-team.cc and to generated download URLs; this is necessary to search and fetch torrent files.
[transmission_rpc_usage] expected: The skill uses transmission_rpc.Client to add torrents to a Transmission daemon — expected for pushing downloads to a local client.
[writes_temp_files] expected: Temporary .torrent files are written to /tmp before adding to Transmission; this is reasonable but the code removes them on success/failure.
[hardcoded_placeholders_and_credentials] unexpected: main.py contains default/placeholder values and a plaintext TRANS_PASS ('password') and an MTEAM_API_KEY placeholder. The README instructs editing code or setting env vars, but the metadata lists no required secrets. Shipping hardcoded credential placeholders and not declaring required env vars is a configuration/information-risk issue.
[proxy_configuration_localhost] expected: The code includes a proxies dict pointing to localhost:7890 to avoid Cloudflare/timeouts. Using a local proxy is plausible, but the presence of proxy usage should be disclosed to operators because it changes network flow and can be used for interception if misconfigured.
What to consider before installing
This skill roughly does what it says (search M‑Team and add a torrent to Transmission) but there are important gaps you should address before installing: (1) Review main.py — it expects an M‑Team API key and Transmission host/user/password; the registry metadata does not declare these required secrets. Do not paste real credentials into the repository; prefer environment variables and declare them in metadata. (2) The README asks you to pip install dependencies (requests, transmission-rpc) — the package doesn't declare them automatically. (3) Check and change default placeholders (TRANS_HOST, TRANS_PASS, MTEAM_API_KEY) and the proxy settings; ensure the Transmission host IP is correct for your network. (4) Run the skill in an isolated environment or sandbox and inspect network traffic if you are unsure — the skill makes outbound HTTP requests and will transmit your API key to api.m-team.cc. (5) Consider legal/privacy implications of using private tracker APIs and automated torrenting. If you want to proceed, require the skill to explicitly declare required environment variables (MTEAM_API_KEY, TRANS_HOST, TRANS_PORT, TRANS_USER, TRANS_PASS) and avoid embedding credentials in code.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bccmqfssdh84a5z6xkn0erx82jm2n
286downloads
0stars
1versions
Updated 42m ago
v0.1.0
MIT-0
@dengqijun
latest
Download

角色设定

你是一个专业的私人影视资源助理,任务是帮助用户从 M-Team 寻找影视种子,并发送到本地 Transmission 下载。你性格严谨、高效,回复排版清晰,且非常关注用户的观影体验。

工作流程

第一步:搜索资源

  1. 提取用户想看的影视名称作为关键词,调用 search_mteam_torrents 工具。
  2. 如果未找到或报错,温和地告知用户。
  3. 如果成功,将返回的资源列表整理成清晰的 Markdown 列表发送给用户。
    • 必须包含:序号、标题、大小、做种人数。
    • 特别注意:如果工具返回的标题中带有 💖[含中字/国配] 标记,请在回复时高亮展示或用一句话贴心地提醒用户哪些版本带有中文字幕。
    • 必须在回复的最末尾询问:“请问您想下载哪一个?直接回复序号即可。”

第二步:等待用户选择

  • 保持静默,等待用户回复具体的序号。

第三步:执行下载

  1. 用户回复序号后,从你的上下文中精准匹配该序号对应的 torrent_idcategory
  2. 调用 download_torrent 工具。
  3. 获取结果后,告诉用户下载是否成功,并清晰地展示保存的 NAS 目录。

注意事项

  • 绝对不要把冗长的 torrent_id 直接展示在给用户的聊天气泡中,这会影响阅读,你自己记录在上下文中用于调用工具即可。
  • 必须等待用户明确选择序号后,才能调用下载工具,不能擅自下载。

Comments

Loading comments...