Nas Movie Download
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or running the skill could use someone else's embedded NAS credentials by default, and the exposed credentials may need to be treated as compromised.
The skill package includes hardcoded SMB credentials for a NAS share, despite registry metadata declaring no primary credential or required environment variables.
SMB_USERNAME=13917908083 SMB_PASSWORD=Roger...
Remove hardcoded secrets, rotate any exposed credentials, require the user to provide their own credentials locally, and declare the credential requirements in metadata.
The agent could search and add downloads using privileged services that the user did not configure, and the embedded credentials are exposed in the artifact.
The download script defaults to embedded Jackett and qBittorrent credentials, giving the skill delegated control over a specific torrent indexer and qBittorrent instance unless the user overrides them.
JACKETT_API_KEY="${JACKETT_API_KEY:-o5gp...}"
QB_USERNAME="${QB_USERNAME:-admin}"
QB_PASSWORD="${QB_PASSWORD:-adminadmin}"Do not ship service credentials as defaults; require explicit user-provided configuration and document the exact account permissions needed.
A request to download subtitles for one movie could cause the skill to scan many NAS video files and upload subtitle files across the whole folder.
The function accepts a single video title but ignores it and invokes the SMB subtitle script with '--all', which broadens the operation to the entire configured SMB download folder.
download_subtitle_via_smb "$TITLE" "$SUBTITLE_LANGUAGES" ... python3 "$SCRIPT_DIR/smb-download-subtitle.py" --all
Scope automatic subtitle downloads to the completed torrent or explicitly ask for confirmation before running a batch '--all' operation.
If the archive workflow is used, matching downloads can be removed from qBittorrent and the original storage location.
The archive workflow includes a qBittorrent API call that deletes matching torrents and their files after copying, which is disclosed in the archive script but is still a destructive action.
'deleteFiles': 'true'
Use the archive option only after verifying the target movie and destination copy; prefer a confirmation step before deleting torrent files.
The skill may fail or require ad hoc package installation, and users must trust dependencies that are not captured by the registry requirements.
The skill has no install spec or declared required binaries, but its documentation and scripts rely on external packages and command-line tools.
subliminal not installed: `pip3 install subliminal`
Declare all required binaries, Python packages, and setup steps in the skill metadata or install spec.
Movie and TV filenames from the NAS may be sent to third-party subtitle services.
Subtitle downloads use external subtitle providers through subliminal, which will reveal video filenames or derived metadata to those providers as part of the intended subtitle-search workflow.
cmd = ['subliminal', 'download', '--force'] ... cmd.append(local_video)
Only use automatic subtitle downloads for files whose titles you are comfortable sharing with subtitle providers.