ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Qbittorrent Api

v0.1.0

Use when working with qBittorrent Web API - adding torrents, managing downloads, checking status, or any qBittorrent automation task. Includes curl examples...

0· 93·0 current·0 all-time
by@hxbreak
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name, description, README and SKILL.md all align: this is a qBittorrent Web API reference with curl examples and workflows. However, the skill's metadata declares no required environment variables while the runtime instructions explicitly expect QB_URL, QB_USER and QB_PASS (via a .env). That omission is inconsistent with the stated purpose.
Instruction Scope
SKILL.md instructs the agent to source a .env, use curl to POST login/logout, and save cookies to /tmp/qb_cookies.txt. These actions are within the normal scope for interacting with qBittorrent. The instructions do cause the agent to read a local .env (sensitive data) and write a cookie file, which the skill reasonably needs but which was not declared in the manifest.
Install Mechanism
This is an instruction-only skill with no install spec or code files to execute. There is no installer or download behavior to review, which reduces installation risk.
!
Credentials
The skill uses secrets (QB_URL, QB_USER, QB_PASS) from a .env and will source that file at runtime, but the registry metadata lists no required env vars or primary credential. Requiring credentials is proportionate to the task, but the omission in metadata is a mismatch that could lead to accidental secret exposure or unexpected behavior.
Persistence & Privilege
The skill does not request always:true, does not install or modify other skills, and only writes a temporary cookie file to /tmp. It does not ask for persistent system-level privileges.
What to consider before installing
This skill appears to be a straightforward qBittorrent Web API cheat sheet with curl examples, but be aware: its runtime instructions expect a local .env containing QB_URL, QB_USER and QB_PASS and will source that file (reading your credentials) and write cookies to /tmp. The skill metadata did not declare those environment variables — that mismatch is the main concern. Before installing: (1) ensure you trust the skill source or inspect SKILL.md/README yourself, (2) keep any .env with credentials out of version control (add to .gitignore), (3) consider using a restricted account on your qBittorrent instance, and (4) if you want stronger guarantees, ask the publisher to update the metadata to declare required env vars or to accept credentials via a secure, explicit mechanism rather than implicitly sourcing .env. If you cannot verify the source or are uncomfortable with the skill reading a local .env, do not enable it.

Like a lobster shell, security has layers — review code before you run it.

latestvk972w4typftfw06qy8e1t7s34x83e7mr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments