ClawHub

Nas Movie Download

Security checks across malware telemetry and agentic risk

Overview

This NAS movie automation skill appears purpose-related, but it ships exposed credentials and can broadly modify NAS and qBittorrent content.

Install only in an environment you control and only after removing the bundled credentials, rotating any exposed passwords or API keys, and replacing them with least-privilege accounts. Review and restrict the --all subtitle workflows, SMB mount helpers, archive scripts, and any qBittorrent delete behavior before running them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (80)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return True
    except ImportError:
        print("正在安装 smbprotocol 库...")
        result = subprocess.run(
            [sys.executable, "-m", "pip", "install", "--user", "smbprotocol"],
            capture_output=True,
            text=True
Confidence
92% confidence
Finding
result = subprocess.run( [sys.executable, "-m", "pip", "install", "--user", "smbprotocol"], capture_output=True, text=True )

Tainted flow: 'download_link' from requests.post (line 207, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
if download_link:
                    # 下载实际文件
                    file_response = requests.get(download_link, timeout=60)
                    if file_response.status_code == 200:
                        return file_response.content
Confidence
86% confidence
Finding
file_response = requests.get(download_link, timeout=60)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill documents and enables powerful capabilities including shell execution, network access, environment-variable use, and file read/write, but it declares no permissions. That creates a transparency and governance failure: an agent or reviewer may invoke the skill without understanding it can access credentials, manipulate local files, and communicate with internal services such as Jackett, qBittorrent, and SMB shares.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented behavior exceeds the stated purpose of simple movie search/download and subtitle support by including broader NAS/SMB manipulation, batch processing, and potentially destructive torrent/file management. This mismatch is dangerous because users and policy systems may authorize the skill for a narrow media-download use case while it can perform lateral file operations across shares and remove content.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The script hardcodes live SMB credentials and then uses them to enumerate and write across a remote share. Embedded secrets are dangerous because anyone with access to the skill can reuse them, and the broad remote traversal/write scope exceeds what is necessary for a narrowly scoped subtitle helper.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
When no folder is specified, the script recursively scans the entire movie library and performs bulk subtitle acquisition and upload. In an agent skill context, this creates a capability much broader than the apparent user task and can cause unintended mass modification of remote content.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script embeds live SMB credentials directly in source code, exposing a username, password, server address, and share details. Anyone who can read the file, logs, backups, or repository history can reuse these secrets to access the NAS share, and skill context makes this especially dangerous because the script automatically performs remote network access and file writes.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The script hardcodes live SMB credentials, server identity, and share details directly in source code. Anyone with access to the skill files can recover those secrets and use them to access or modify the NAS share, and the skill context makes this especially dangerous because it automates write access to a real media repository on the local network.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script hardcodes live SMB credentials and server details directly in source code, exposing secrets to anyone who can read the repository, logs, backups, or packaged skill contents. In this skill context, that is especially dangerous because the capability grants direct access to a private network share and enables unauthorized browsing and modification of media files beyond the nominal torrent/search workflow.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script escalates privilege with sudo to mount an SMB share and then writes subtitle files into that mounted location. In the context of a movie-download helper, this expands capability beyond simple search/download into privileged filesystem and network-share access, which increases the blast radius if the script is misused, pointed at the wrong share, or run in an automated agent context.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script accepts an SMB password directly as an argument, adding credential-handling behavior that is unnecessary for a subtitle helper and risky in agent workflows. Command-line secrets are commonly exposed through process listings, shell history, logs, and orchestration metadata, so this creates avoidable credential leakage risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script hardcodes live SMB credentials, server identity, and share details directly in source code. This exposes reusable secrets to anyone with code access and enables unauthorized access to the NAS share, data theft, tampering, or lateral movement on the local network.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script operates on a hardcoded list of TV-series folders and performs bulk scanning/upload actions that go beyond a user-scoped movie search/download function. This expands access to remote content without explicit user selection, increasing the chance of unintended modification of media libraries and making hidden data operations harder to detect.

Context-Inappropriate Capability

High
Confidence
100% confidence
Finding
The script embeds live SMB credentials, server identity, and share details directly in source code. Anyone with access to the skill can reuse these secrets to access the NAS share, exfiltrate media and other files reachable by that account, or modify remote content without authorization.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script constructs a request URL containing the Jackett API key and then prints that full URL to stdout. This leaks secret material into terminal output, logs, chat transcripts, or orchestration systems, enabling anyone with access to that output to reuse the API key against the Jackett service.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script embeds live SMB credentials, including a plaintext password, directly in source code and then uses them to connect to an internal network file share. This creates an immediate secret-exposure risk through source disclosure, logs, backups, or repository access, and can enable unauthorized access to the NAS and any reachable data on that share.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The file embeds live SMB credentials and an OpenSubtitles API key directly in source code. Hardcoded secrets are easily exposed through source control, logs, backups, or redistribution of the skill, enabling unauthorized access to the NAS share and abuse of the third-party API account.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The script performs environment modification and system/network operations that exceed a narrowly described movie-download function and are not clearly disclosed. In a skill ecosystem, capability creep is security-relevant because it gives the skill privileged behaviors users may not expect, increasing the chance of unauthorized host changes or lateral network access.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The script embeds live default SMB credentials, server identifiers, share names, and paths directly in source code. Hardcoded credentials are highly sensitive because anyone with code access can reuse them to access the NAS, and the skill context makes this worse because the script is designed to reach internal file shares and write content back to them.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The code accesses an additional SMB movie share outside the narrower Jackett/qBittorrent download-management scope described in the skill metadata. This scope expansion increases the reachable data surface and enables the skill to enumerate and modify files in a separate media library, which is dangerous in an automation context because users may not expect that broader access.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script recursively enumerates the SMB share and writes files back to it, giving it broader NAS file-management capability than users would expect from a torrent-download skill. In this context, undisclosed recursive access and remote file modification increase the risk of unintended changes across large portions of the NAS.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The script embeds live SMB credentials and uses them to access an internal network share. Hardcoded secrets in distributable skill code are highly sensitive because anyone with file access can reuse them to authenticate to the NAS, and the skill's network-write capability increases the blast radius beyond simple movie management.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The code recursively enumerates the SMB share, collecting metadata for all matching video files under the configured path. Even if intended for subtitle management, broad remote-share traversal expands access beyond the stated movie search/download scope and can expose file names, directory structure, and contents inventory from a private NAS.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This section downloads subtitle files via an external tool and writes them back to the SMB share, which materially extends the skill's behavior beyond the described Jackett/qBittorrent search/download workflow. In context, undisclosed remote writes and third-party content retrieval are risky because they can modify NAS contents and pull unreviewed files into a trusted environment.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script hardcodes valid SMB credentials and directly accesses a private network share, which creates an immediate secret-exposure and unauthorized-access risk if the repository or logs are exposed. In this skill context, SMB access is operationally relevant for subtitle placement, but embedding credentials in code is never justified and substantially increases blast radius because the script can enumerate and modify remote files.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal