ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nas Movie Download

v3.2.2

Search and download movies via Jackett and qBittorrent. Use when user wants to download movies or videos from torrent sources, search for specific movie titl...

3· 2k·6 current·6 all-time
byRoger@roger0808

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for roger0808/nas-movie-download.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Nas Movie Download" (roger0808/nas-movie-download) from ClawHub.
Skill page: https://clawhub.ai/roger0808/nas-movie-download
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install nas-movie-download

ClawHub CLI

Package manager switcher

npx clawhub@latest install nas-movie-download
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (Jackett + qBittorrent + SMB subtitle fetching) align with the included scripts: search, add magnet to qBittorrent, wait for completion, and download/upload subtitles via SMB. The code implements the stated capabilities.
!
Instruction Scope
SKILL.md and scripts instruct the agent to access network services (Jackett, qBittorrent, subtitle providers) and an SMB share—this is expected. However SKILL.md documents environment variables and a config file but the skill metadata declares no required env vars or config paths; the packaged files read/write config/smb.env and embed defaults. The instructions also reference running many scripts that will attempt SMB and HTTP access and run subprocesses (subliminal), which is within scope but broad.
Install Mechanism
No install spec; this is an instruction + code bundle. That lowers supply-chain risk compared with remote downloads. Scripts rely on system binaries (python3, curl, jq, subliminal) but none are installed by the skill itself.
!
Credentials
Although the registry metadata lists no required environment variables or primary credential, the SKILL.md and many scripts expect and embed sensitive values: JACKETT_API_KEY, QB_USERNAME/QB_PASSWORD, SMB_USERNAME/SMB_PASSWORD, and a private IPv4 address (192.168.1.246). Multiple files include plaintext credentials and server addresses (config/smb.env and numerous scripts). Requesting network credentials for the services the skill uses is reasonable, but bundling valid-seeming credentials in code/config and not declaring them in metadata is inconsistent and risky.
Persistence & Privilege
The skill does not request always:true and contains no install-time hooks or modifications to other skills. It runs when invoked and doesn't claim persistent system-level privileges beyond normal network/SMB access.
Scan Findings in Context
[HARDCODED_CREDENTIALS] unexpected: Multiple files (config/smb.env and many scripts) contain plaintext SMB, qBittorrent, and Jackett credentials and default URLs. While the skill needs credentials to access those services, bundling them in the package is inappropriate and not declared in metadata.
[UNDOCUMENTED_CONFIG_PATH] unexpected: Registry metadata declared no required config paths, but config/smb.env is present and referenced by SKILL.md/scripts. This mismatch is incoherent.
[NETWORK_ACCESS_AND_SUBPROCESS] expected: Scripts use HTTP calls (Jackett/qBittorrent) and spawn subprocesses (subliminal) to download subtitles—this is expected for the stated functionality but expands the attack surface (remote hosts + subprocesses).
What to consider before installing
This package appears to do what it says (search torrents via Jackett, add to qBittorrent, download/upload subtitles via SMB), but there are red flags you should consider before installing or running it: - Hard-coded secrets: The bundle contains plaintext credentials and default API keys/URLs (SMB username/password, qBittorrent credentials, Jackett API key and 192.168.* address). Treat these as untrusted—they may be placeholders, but they could also belong to someone else, or be reused later. Replace or remove them and store real credentials in environment variables or a secure secret store. - Metadata mismatch: The registry metadata claims no required env vars/config paths, yet SKILL.md and the files expect and reference config/smb.env and many env variables. This inconsistency could cause accidental use of embedded defaults. Review SKILL.md and all config files and ensure no unwanted credentials remain. - Network effects and legality: The scripts will make network requests to local/Internet hosts and spawn subprocesses (subliminal uses external subtitle providers). Only run in an environment where these network accesses are allowed and legal (torrenting may be illegal in your jurisdiction). Consider running in an isolated network or VM first. - Audit and harden before use: Inspect the entire code bundle (you have it) and remove or rotate embedded credentials, confirm the Jackett/qBittorrent endpoints are yours, and prefer to set environment variables rather than use defaults. If you don't control the referenced SMB/qBittorrent/Jackett hosts, do not run the scripts. - If you need higher assurance: ask the publisher for provenance (who maintains this skill), confirm the embedded credentials are placeholders, and request an updated package that does not include secrets and that documents required env vars/config paths in metadata. Why suspicious not malicious: The code implements the described behavior and does not contain obvious exfiltration backchannels or obfuscated remote endpoints, but the inclusion of real-looking credentials and the metadata mismatch are significant coherence problems that could lead to credential misuse or accidental connection to unknown hosts. More information from the author (or removal/rotation of embedded secrets) could change this to benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bfrkq55dnzk992qarsc0m7182her6
2kdownloads
3stars
10versions
Updated 4h ago
v3.2.2
MIT-0
Roger@roger0808
latest
Download

NAS Movie Download

Automated movie downloading system using Jackett for torrent search and qBittorrent for download management.

新功能:SMB 自动字幕下载! 🎬 下载完成后自动通过 SMB 为视频下载并上传字幕。

Configuration

Environment Variables

Set these environment variables for the skill to function properly:

Jackett Configuration:

  • JACKETT_URL: Jackett service URL (default: http://192.168.1.246:9117)
  • JACKETT_API_KEY: Jackett API key (default: o5gp976vq8cm084cqkcv30av9v3e5jpy)

qBittorrent Configuration:

  • QB_URL: qBittorrent Web UI URL (default: http://192.168.1.246:8888)
  • QB_USERNAME: qBittorrent username (default: admin)
  • QB_PASSWORD: qBittorrent password (default: adminadmin)

SMB Configuration (for subtitle download):

  • SMB_USERNAME: SMB username (default: 13917908083)
  • SMB_PASSWORD: SMB password (default: Roger0808)
  • SMB_SERVER: SMB server IP (default: 192.168.1.246)
  • SMB_SHARE: SMB share name (default: super8083)
  • SMB_PATH: SMB download path (default: qb/downloads)

Subtitle Configuration:

  • SUBTITLE_LANGUAGES: Default subtitle languages (default: zh,en)

SMB Setup

SMB 配置已保存到 config/smb.env

cat config/smb.env

Indexer Setup

The skill works with Jackett indexers. Currently configured indexers:

  • The Pirate Bay
  • TheRARBG
  • YTS

Ensure these indexers are enabled and configured in your Jackett installation for best results.

Usage

Search Movies

Search for movies without downloading:

scripts/jackett-search.sh -q "Inception"
scripts/jackett-search.sh -q "The Matrix"
scripts/jackett-search.sh -q "死期将至"  # Chinese movie names supported

Download Movie Only

Download movie without subtitles:

scripts/download-movie.sh -q "The Matrix"

Download with Automatic Subtitles via SMB 🆕

完整流程:搜索 → 下载 → 自动下载字幕 → 上传到 SMB

# 下载电影并自动通过 SMB 下载字幕
scripts/download-movie.sh -q "Young Sheldon" --subtitle

# 指定字幕语言
scripts/download-movie.sh -q "Community" --subtitle --lang zh,en

参数说明:

  • --subtitle: 启用自动字幕下载(通过 SMB)
  • --lang: 指定字幕语言(默认:zh,en)

SMB Subtitle Download (Standalone)

为 NAS 上已下载的视频通过 SMB 下载字幕:

# 为单个视频下载字幕
python3 scripts/smb-download-subtitle.py -f "movie.mkv"

# 为整个目录下载字幕
python3 scripts/smb-download-subtitle.py -d "qb/downloads/Movie Folder"

# 批量处理所有视频
python3 scripts/smb-download-subtitle.py --all

Workflow

完整下载流程

  1. 搜索电影: 使用 Jackett 搜索种子
  2. 添加到 qBittorrent: 自动添加最高质量的种子
  3. 等待下载完成: qBittorrent 下载视频到 NAS
  4. 自动下载字幕: 通过 SMB 连接到 NAS,为视频下载字幕
  5. 上传字幕: 将字幕文件上传到 NAS 对应位置
┌─────────────┐    ┌──────────────┐    ┌──────────────┐    ┌──────────────┐
│  Jackett    │───▶│ qBittorrent  │───▶│    NAS       │───▶│   字幕下载    │
│   搜索      │    │   下载       │    │  存储视频     │    │  SMB + subliminal│
└─────────────┘    └──────────────┘    └──────────────┘    └──────────────┘

Script Details

jackett-search.sh

Search Jackett for torrents.

Parameters:

  • -q, --query: Search query (required)
  • -u, --url: Jackett URL (optional, uses env var)
  • -k, --api-key: API key (optional, uses env var)

qbittorrent-add.sh

Add torrent to qBittorrent.

Parameters:

  • -m, --magnet: Magnet link (required)
  • -u, --url: qBittorrent URL (optional, uses env var)
  • -n, --username: Username (optional, uses env var)
  • -p, --password: Password (optional, uses env var)

download-movie.sh

One-click search, download, and subtitle fetching.

Parameters:

  • -q, --query: Movie name (required)
  • -s, --subtitle: Enable automatic subtitle download via SMB
  • -l, --lang: Subtitle languages (default: zh,en)
  • --quality: Quality preference (4k, 1080p, 720p, any)

smb-download-subtitle.py 🆕

Download subtitles for videos on NAS via SMB.

Parameters:

  • -f, --file: Single video filename (relative to SMB path)
  • -d, --directory: Directory path (relative to SMB path)
  • -l, --lang: Subtitle languages (default: zh,en)
  • --all: Process all videos in SMB download folder

Example:

# Single video
python3 scripts/smb-download-subtitle.py -f "Lilo And Stitch 2025.mkv"

# Entire folder
python3 scripts/smb-download-subtitle.py -d "qb/downloads/Movie Folder"

# All videos
python3 scripts/smb-download-subtitle.py --all

Features:

  • Connects to NAS via SMB
  • Uses subliminal for subtitle search
  • Downloads Chinese and English subtitles
  • Uploads subtitles to corresponding video folders
  • Skips existing subtitle files

Tips and Best Practices

  • Use English movie names for better search results
  • Check Jackett indexer status if searches return no results
  • Monitor qBittorrent to manage download progress
  • SMB subtitle download works best for popular movies and TV shows
  • Test SMB connection with python3 scripts/smb-download-subtitle.py --test
  • For TV series: Use --subtitle flag to auto-download subtitles for all episodes
  • Subtitle resolution independence: Subtitles are resolution-independent; 720p subtitles work on 1080p videos if the timing matches
  • Expand subtitle sources: By default uses 9 subtitle providers (addic7ed, opensubtitles, podnapisi, etc.) to maximize subtitle find rate

Troubleshooting

SMB Connection Failed

  1. Verify SMB credentials in config/smb.env
  2. Check NAS IP address: ping 192.168.1.246
  3. Ensure SMB service is running on NAS
  4. Verify network connectivity

Subtitle Download Issues

  1. No subtitles found: Try different language codes or the video may not have subtitles available
  2. subliminal not installed: pip3 install subliminal
  3. SMB upload failed: Check folder permissions on NAS

Permission Issues

Ensure scripts have execute permissions:

chmod +x scripts/*.sh
chmod +x scripts/*.py

Security Notes

  • Keep SMB credentials secure in config/smb.env
  • Use HTTPS connections when possible
  • Consider setting up VPN for torrent traffic
  • Monitor qBittorrent for unauthorized downloads

Dependencies

  • curl: For HTTP requests
  • jq: For JSON parsing
  • python3 with pysmb: For SMB operations
  • subliminal: For subtitle download

Install dependencies:

apt-get install curl jq python3 python3-pip
pip3 install pysmb subliminal

Changelog

v3.2.0 - 2025-03-06

  • Expanded subtitle providers: Now uses all 9 available subtitle sources (addic7ed, bsplayer, gestdown, napiprojekt, opensubtitles, opensubtitlescom, podnapisi, subtitulamos, tvsubtitles)
  • Improved subtitle find rate: Successfully found subtitles for 141/141 Young Sheldon episodes (131 Chinese + 20 English)
  • Resolution independence: Clarified that subtitles are not resolution-dependent; 720p subtitles work on 1080p videos
  • Enhanced smb-download-subtitle.py: Refactored with modular functions and better error handling

v3.0 - 2025-02-23

  • ✅ Added SMB subtitle download support
  • ✅ New smb-download-subtitle.py script
  • ✅ Integrated subtitle download into download workflow
  • ✅ Automatic subtitle upload via SMB
  • ✅ Support for Chinese and English subtitles

v2.0 - 2025-02-17

  • ✅ Added automatic subtitle download support
  • ✅ New subtitle-download.sh script
  • ✅ Updated download-movie.sh with -s and -w flags
  • ✅ Support for OpenSubtitles API
  • ✅ Multi-language subtitle support (zh-cn, en, ja, ko, etc.)

Comments

Loading comments...