Anime Download Skill
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: anime-download-skill Version: 0.3.3 The skill instructions in SKILL.md direct the agent to execute a high-risk `curl | sh` command to install the `uv` tool from `astral.sh`. While this is the official installation method for a legitimate utility, executing remote scripts directly in a shell is a significant security risk for automated agents. Additionally, the skill relies on `uvx` to fetch and execute the `anicatch` package from PyPI, which introduces supply chain risks, and facilitates BitTorrent downloads involving unverified peer-to-peer network connections.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or running the tool may execute third-party code and modify the user's local package/cache environment.
The skill's setup path can execute a remote installer and install/run an unpinned external package whose code is not included in the reviewed artifacts. This is disclosed and purpose-aligned, but supply-chain trust is delegated to external sources.
curl -LsSf https://astral.sh/uv/install.sh | sh ... pipx install anicatch && anicatch --search "KEYWORD"
Install uv and anicatch only from trusted sources, consider pinning or reviewing the package, and require user approval before first-time setup.
Downloads may create local files and BitTorrent activity may expose network metadata such as the user's IP address to peers or trackers.
The skill exposes user-directed download commands that fetch torrent content and write files locally. This matches the stated purpose, but it is a meaningful external-network and filesystem action.
`--download "URL"` — download torrent directly from a detail page URL ... `uvx anicatch --download "https://miobt.com/show-xxx.html" -o ~/Downloads`
Confirm each download, choose an appropriate output directory, and only download content from sources the user trusts and is allowed to use.