ClawHub

qBittorrent Skill

Security checks across malware telemetry and agentic risk

Overview

This qBittorrent skill is mostly coherent, but it gives an agent broad control over torrents and persistent app settings with weak safeguards around file deletion and configuration changes.

Install only if you are comfortable giving the agent control of your qBittorrent WebUI account. Review or remove set-preferences before use, avoid delete --files unless you explicitly intend to delete downloaded data, and store credentials/session files in owner-only locations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documents direct shell-script execution against qBittorrent but does not declare corresponding permissions or capability boundaries. This creates a transparency and governance gap: an agent may invoke shell-based actions that can modify torrents, delete data, or access local files without an explicit permission model visible to reviewers or users.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior exceeds the declared purpose, including higher-risk operations like uploading local .torrent files, changing application preferences, and manipulating trackers/tags/categories. This mismatch is dangerous because agents or users may trust the description as a safe summary while the actual capability set enables broader state changes, local file access, and potentially privacy-impacting reconfiguration.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script exposes commands beyond the manifest's stated scope, including tracker changes, category/tag mutation, reannounce/recheck, and application preference access. In an agent setting, capability drift matters because the model may invoke higher-privilege actions than the user reasonably expects, increasing the chance of unauthorized or destructive changes.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill can change global qBittorrent preferences via set-preferences, which is a broad administrative capability not needed for ordinary torrent management. This could alter download directories, network behavior, authentication-related settings, or other global configuration in ways that affect all torrents and the entire qBittorrent instance.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill documents a deletion mode that removes both torrent records and downloaded files but provides no warning, safeguard, or confirmation requirement. In an agent setting, this can lead to irreversible data loss if a user request is ambiguous, misparsed, or if the wrong torrent hash is supplied.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The delete command performs immediate torrent deletion and can also delete files when --files is provided, with no confirmation or safeguard. In an agent workflow, a mistaken interpretation or prompt injection could cause irreversible loss of downloaded data.

Missing User Warnings

Low
Confidence
88% confidence
Finding
Preference changes are sent directly to the API without any warning, review, or confirmation, even though they affect global application behavior. In an LLM-controlled toolchain, silent configuration mutation is risky because it can persist beyond the current task and impact future operations.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal