ClawHub

Qbittorrent

v1.0.0

Manage torrents with qBittorrent. Use when the user asks to "list torrents", "add torrent", "pause torrent", "resume torrent", "delete torrent", "check download status", "torrent speed", "qBittorrent stats", or mentions qBittorrent/qbit torrent management.

2· 2.8k·16 current·18 all-time
by@jmagar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description match the shipped script and README: the skill talks to qBittorrent's WebUI API to list/add/pause/resume/delete torrents and adjust limits. However the metadata declares no required binaries or env vars while the script clearly depends on curl and jq (and uses id). That omission is a discrepancy in the manifest, though the binaries themselves are reasonable and expected for this purpose.
Instruction Scope
SKILL.md and README instruct the agent to read a local config file (~/.clawdbot/credentials/qbittorrent/config.json) or environment variables and then call qBittorrent's local/remote WebUI API. The included script only interacts with the configured QBIT_URL and uses a temporary cookie file under /tmp; it does not attempt to read other unrelated system files or send data to unexpected external endpoints.
Install Mechanism
There is no install spec (instruction-only with an included helper script). No archives or remote downloads are performed by the skill itself, so there is low install-time risk.
Credentials
The skill requires qBittorrent credentials (username/password) which is appropriate. Those credentials are expected in a local JSON config file or via QBIT_URL/QBIT_USER/QBIT_PASS env vars (documented in README) but the registry metadata does not list these env vars or the need to store credentials in the filesystem—this mismatch should be noted. The script stores a session SID in /tmp, which is normal for a client script but means credentials are present on disk (config file and cookie).
Persistence & Privilege
always:false and normal model invocation are set. The skill does not request persistent system-wide privileges nor modify other skill configurations. It writes a per-user cookie file in /tmp and asks the user to create a local config file; both are limited in scope.
Assessment
This skill appears coherent for managing qBittorrent, but check a few things before installing: (1) Inspect the included scripts yourself — qbit-api.sh uses curl and jq (ensure they exist and are acceptable on your system). (2) The skill requires qBittorrent WebUI credentials stored in a plaintext JSON config (~/.clawdbot/credentials/qbittorrent/config.json) or environment variables; consider file permissions and use a least-privileged account. (3) Ensure QBIT_URL points to a trusted host (prefer localhost) — do not expose credentials to a remote, untrusted WebUI. (4) The registry metadata omits declaring required binaries/envs; if you rely on automatic environment checks, add curl/jq to your environment first. If any of these points are unacceptable (e.g., you cannot store credentials locally or cannot trust the WebUI endpoint), do not enable the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cg6yfp97ddx1hsdb76majs17zsqy1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments