ClawHub

WebTorrent — Streaming Torrent Client

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only WebTorrent skill whose torrent downloading and seeding guidance matches its stated purpose, but users should understand the P2P privacy and dependency risks.

Install this only if you intend to build BitTorrent/WebTorrent features. Use legal torrents, get explicit user consent before seeding local files, consider disabling or limiting DHT/tracker/LSD/upload behavior when not needed, set download paths deliberately, avoid unpinned global or CDN installs for production, and treat downloaded content as untrusted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes generic terms like 'torrent', 'seeding', and 'streaming download' that can match broad user requests outside a narrowly scoped WebTorrent use case. In an agent environment, overbroad triggers can cause unintended activation and route users into peer-to-peer file transfer guidance, increasing the chance of privacy exposure, copyright misuse, or unsafe network actions without sufficient context checks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill promotes torrent downloading and browser-wide P2P communication but does not prominently warn that using WebTorrent exposes the user's IP/network presence to peers, trackers, and discovery mechanisms. Because the examples encourage immediate use of downloading and seeding features, users may unknowingly participate in public peer-to-peer sharing or disclose metadata and connectivity information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal