ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Jackett

v1.0.0

Search torrent indexers with Jackett. Use when the user asks to "search torrents", "search with Jackett", "find releases", "search indexers", "list Jackett i...

0· 22·0 current·0 all-time
byNah3k@imyukehan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, README, SKILL.md, and the included script all focus on querying Jackett's Torznab API and parsing results — the requested functionality is coherent with the implementation.
Instruction Scope
SKILL.md and README consistently instruct creating a config at ~/.openclaw/credentials/jackett/config.json and/or using JACKETT_URL/JACKETT_API_KEY env vars. The script reads that config and calls the configured Jackett URL, returning parsed JSON or raw XML. This is within scope but the runtime will transmit queries and the API key to whatever URL is configured (localhost or a remote host), so users should only point it at trusted Jackett endpoints.
Install Mechanism
There is no install step (instruction-only), and the script is bundled in the skill so nothing is downloaded at install. That's low risk, but the package executes a local script at runtime — users should review it before running.
!
Credentials
Registry metadata lists no required env vars or binaries, but the script clearly depends on JACKETT_URL / JACKETT_API_KEY (and accepts JACKETT_APIKEY), and uses external tools (curl, jq, python3). Those env/config requirements and binaries are proportional to the task, but their omission from the declared requirements is an inconsistency that reduces transparency and could mislead users about what secrets are needed or sent.
Persistence & Privilege
always is false, no special persistence or rights requested, and the skill does not attempt to modify other skills or system-wide agent settings.
What to consider before installing
This skill appears to do what it claims (query a Jackett Torznab API) but the registry metadata fails to declare runtime dependencies: the script requires curl, jq, and python3 and uses either a config file (~/.openclaw/credentials/jackett/config.json) or env vars (JACKETT_URL, JACKETT_API_KEY). Before installing, review the script (it's included) and decide where the Jackett endpoint will live — pointing JACKETT_URL at a remote/trusted server will transmit your JACKETT_API_KEY there. Ensure the required binaries are present, prefer storing the API key in a secure place you control, and limit agent autonomy if you do not want the skill to call network endpoints without explicit confirmation.

Like a lobster shell, security has layers — review code before you run it.

latestvk970j40adgj7ed1h61dcf5s58h848q7f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments