WebTorrent — Streaming Torrent Client
AdvisoryAudited by Static analysis on May 7, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used without care, the agent could help implement code that downloads unwanted content or shares a local file with other peers.
The skill documents downloading torrent content to local storage and seeding a local file to a peer-to-peer swarm. This is core WebTorrent behavior, but it has real file-sharing impact.
client.add(magnetURI, { path: './downloads' }, ...)
...
client.seed('/path/to/file.mp4', ...)Only seed files the user explicitly chose, avoid sensitive/private files, set clear download paths, and stop/destroy torrents when finished.
An implementation using defaults may connect to public peer/tracker networks and upload/download without rate limits.
The reference documents default DHT/tracker networking and unlimited download/upload limits. These defaults are normal for a torrent client, but can affect bandwidth and network exposure.
`dht` | ... | `true` ... `tracker` | ... | `true` ... `downloadLimit` | ... | `-1` ... `uploadLimit` | ... | `-1`
Set upload/download limits, choose whether DHT/tracker/LSD should be enabled, and run torrent functionality only in an environment where P2P traffic is acceptable.
The user’s project may execute third-party code from npm or a CDN, including a globally installed CLI if they follow that optional command.
The skill relies on external npm packages and a CDN-hosted browser import. This is expected for WebTorrent usage, but package/CDN versions are not pinned in the examples.
npm install webtorrent ... npm install webtorrent-cli -g ... import WebTorrent from 'https://esm.sh/webtorrent'
Pin package versions, use a lockfile, audit dependencies, avoid global CLI installs unless needed, and prefer pinned/local browser bundles over unpinned CDN imports.