Pt Site
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill fits its torrent-search purpose, but it uses private-tracker session cookies/passkeys and qBittorrent control that are not declared in the registry metadata.
Review carefully before installing. This skill needs private-tracker cookies and may handle tracker passkeys, so use it only if you trust the agent with that account access. Keep the credential file private, verify the qBittorrent helper separately, and require confirmation before any torrent is downloaded or added.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If mishandled, the agent could use the user's private tracker account session to search or download under that account, affecting privacy, ratio, or account standing.
The skill instructs the agent to load private-tracker session cookies from a persistent local credential file. These cookies can act as account credentials, while the registry metadata declares no primary credential or required config path.
Credentials: `~/.clawdbot/credentials/pt-site/sites.json` ... "cookie": "c_secure_uid=xxx; c_secure_pass=xxx"
Only use this with a tracker account you are comfortable delegating to the agent, store the cookie file securely, and prefer explicit confirmation before every authenticated download.
A passkey can identify or authorize downloads for the user's tracker account, so exposing or reusing it incorrectly could compromise the account.
A tracker passkey is sensitive account-linked credential material. The artifact does not specify approval, storage, redaction, or limits for extracting it from the user's profile.
Many NexusPHP sites require passkey for download - may need to extract from user's profile
Require explicit user approval before reading profile pages for passkeys, avoid printing passkeys in outputs/logs, and document how passkeys are stored or discarded.
The agent may start or queue downloads in qBittorrent after using authenticated tracker access.
The skill uses command-line/network tooling and can add torrents to qBittorrent. This is purpose-aligned and the workflow says the user selects a torrent, but it is still a meaningful action on the user's local environment.
Download with curl, include Cookie header ... Add downloaded torrent ... ./scripts/qbit-api.sh add-file /tmp/torrent.torrent --category "PT"
Confirm the selected torrent, save path, category, and whether qBittorrent will start downloading before allowing the action.
Behavior depends on tools or another skill outside the reviewed artifact set, so actual qBittorrent actions may vary by local installation.
The skill references an external qBittorrent helper/skill that is not included in this manifest, and the included script also relies on jq despite no required binaries being declared.
Use qbittorrent skill: ... ./scripts/qbit-api.sh add-file /tmp/torrent.torrent --category "PT"
Review the referenced qBittorrent skill/helper separately and declare required tools such as jq and the credential path in metadata.