Qbittorrent
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or over-broad invocation could pause/resume all torrents or delete downloaded files.
These commands give the agent bulk qBittorrent control and a file-deleting option. That is purpose-aligned for torrent management, but it can remove local downloaded data if used incorrectly.
./scripts/qbit-api.sh pause <hash> # or "all" ./scripts/qbit-api.sh delete <hash> --files # delete files too
Require explicit user confirmation for `all`, `delete`, and `--files`; verify torrent hashes and intended file deletion before running mutating commands.
Anyone who can read the config or session cookie may be able to control qBittorrent, including adding or deleting torrents.
The helper reads qBittorrent WebUI credentials and stores a session cookie. This is expected for the integration, but the credentials and cookie grant control over the user's qBittorrent instance.
CONFIG_FILE="${QBIT_CONFIG:-$HOME/.clawdbot/credentials/qbittorrent/config.json}"
COOKIE_FILE="${QBIT_COOKIE:-/tmp/qbit_cookie_$(id -u).txt}"
-d "username=$QBIT_USER&password=$QBIT_PASS"Use a strong non-default WebUI password, keep the config file private, prefer localhost or HTTPS, and consider setting `QBIT_COOKIE` to a private directory with restrictive permissions.
Users may not realize from registry metadata alone that the skill needs qBittorrent WebUI credentials and local helper dependencies.
The registry metadata provides limited provenance and does not surface the credential/config setup used by the README and script. The observed behavior is still purpose-aligned and no remote install path is shown.
Source: unknown; Homepage: none; Required binaries: none; Env var declarations: none; Primary credential: none
Inspect the included script before use, install dependencies from trusted sources, and ensure the credential setup matches your intended qBittorrent instance.