Qbittorrent
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: qbittorrent Version: 1.0.0 The skill is designed to manage qBittorrent via its WebUI API. The `SKILL.md` provides clear instructions for the AI agent without any prompt injection attempts. The `scripts/qbit-api.sh` script correctly reads qBittorrent credentials from a designated configuration file (`~/.clawdbot/credentials/qbittorrent/config.json`) or environment variables and uses `curl` to interact with the user-configured qBittorrent instance. All network calls are directed to the specified qBittorrent URL, and file operations are limited to its own configuration, session cookie management in `/tmp`, and reading `.torrent` files for the 'add-file' functionality. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or obfuscation. The script's actions are entirely aligned with its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or over-broad invocation could pause/resume all torrents or delete downloaded files.
These commands give the agent bulk qBittorrent control and a file-deleting option. That is purpose-aligned for torrent management, but it can remove local downloaded data if used incorrectly.
./scripts/qbit-api.sh pause <hash> # or "all" ./scripts/qbit-api.sh delete <hash> --files # delete files too
Require explicit user confirmation for `all`, `delete`, and `--files`; verify torrent hashes and intended file deletion before running mutating commands.
Anyone who can read the config or session cookie may be able to control qBittorrent, including adding or deleting torrents.
The helper reads qBittorrent WebUI credentials and stores a session cookie. This is expected for the integration, but the credentials and cookie grant control over the user's qBittorrent instance.
CONFIG_FILE="${QBIT_CONFIG:-$HOME/.clawdbot/credentials/qbittorrent/config.json}"
COOKIE_FILE="${QBIT_COOKIE:-/tmp/qbit_cookie_$(id -u).txt}"
-d "username=$QBIT_USER&password=$QBIT_PASS"Use a strong non-default WebUI password, keep the config file private, prefer localhost or HTTPS, and consider setting `QBIT_COOKIE` to a private directory with restrictive permissions.
Users may not realize from registry metadata alone that the skill needs qBittorrent WebUI credentials and local helper dependencies.
The registry metadata provides limited provenance and does not surface the credential/config setup used by the README and script. The observed behavior is still purpose-aligned and no remote install path is shown.
Source: unknown; Homepage: none; Required binaries: none; Env var declarations: none; Primary credential: none
Inspect the included script before use, install dependencies from trusted sources, and ensure the credential setup matches your intended qBittorrent instance.