Back to skill

Security audit

Docker Xunler Downloader

Security checks across malware telemetry and agentic risk

Overview

This skill coherently manages downloads on a user-configured Xunlei Docker service, with some dependency and configuration cautions but no artifact-backed malicious behavior.

Before installing, review or replace config.json so it points only to your Xunlei service, install dependencies from a trusted registry, and consider updating or pinning axios after checking compatibility. Use submit commands only for content you are allowed to download because they send the magnet link and selected file metadata to the configured service and can consume storage and bandwidth.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "OpenClaw",
  "license": "MIT",
  "dependencies": {
    "axios": "^1.13.4"
  }
}
Confidence
94% confidence
Finding
"axios": "^1.13.4"

Known Vulnerable Dependency: axios==1.13.4 — 10 advisory(ies): CVE-2026-44494 (axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `co); CVE-2026-44495 (axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollut); CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF) +7 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
axios==1.13.4

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.