Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Sumo Torrent
v1.0.4Search BT4G for torrents and add magnet links to qBittorrent. Manual workflow with tracker enrichment. For OpenClaw agents with browser capability.
⭐ 0· 54·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description match the code: search BT4G and add magnet links to qBittorrent. However, the SKILL.md and code assume a Windows path (C:\butler_sumo\...) and a specific browser profile 'my-daily-chrome' as part of normal operation, yet the skill metadata declares no required config paths, no OS restriction, and no required environment variables. Requiring access to a particular browser profile and local filesystem is disproportionate to the high-level description and is not reflected in the declared requirements.
Instruction Scope
Instructions explicitly tell the agent to open the BT4G site using a profile='my-daily-chrome', take screenshots, click into pages, extract magnet hashes, and hand tasks to a single '總管蘇茉' (master agent/profile). Asking the agent to use a specific personal browser profile implies access to session cookies and other site data beyond the torrent site. The SKILL.md also prescribes writing output to a fixed local path and instructs agents to forward requests to a centralized profile—both expand scope beyond a simple search-and-return workflow.
Install Mechanism
No install spec (instruction-only) which is low-risk. The repository includes two Python scripts that perform network calls (requests) and write local files. No remote downloads or installers are used. The presence of runnable code means the agent will execute local scripts when invoked, which is expected but should be noted.
Credentials
The skill declares no required credentials, but the Python bridge embeds default qBittorrent credentials (admin/adminadmin) and assumes localhost:8080. The SKILL.md expects use of a specific browser profile ('my-daily-chrome')—this effectively requests access to a private browser profile and its cookies without declaring it. The scripts also read/write a fixed Windows directory (C:\butler_sumo...), which is not announced in the skill metadata. These implicit resource/credential requirements are disproportionate and potentially privacy-sensitive.
Persistence & Privilege
always:false and no installation hooks are present. The skill does instruct agents to centralize handling via a 'master' profile, which could increase blast radius if that profile is privileged, but the skill itself does not request permanent inclusion or system-level changes.
What to consider before installing
Before installing, consider these points:
- The skill asks the agent to use a specific browser profile ('my-daily-chrome') to bypass Cloudflare. That profile likely contains session cookies and other private data; grant access only if you trust the profile and understand the privacy implications.
- The Python bridge uses hard-coded qBittorrent credentials (admin/adminadmin) and assumes qBittorrent is running on localhost:8080. Change default passwords and avoid exposing the WebUI to the network. If you don't want the skill to control your local qBittorrent, don't provide or allow access to that profile/port.
- The SKILL.md and scripts assume Windows paths (C:\butler_sumo\...) but the registry metadata has no OS restriction. Ensure the paths make sense for your environment and that the agent isn't given unnecessary filesystem access.
- The skill asks other agent instances to forward commands to a centralized 'master' profile; this centralization can concentrate sensitive access. If multiple agents are in use, be cautious about routing actions through a single privileged profile.
- Legal and safety reminder: searching/downloading torrents can have legal risks depending on content and jurisdiction. Verify that your use is lawful.
If you decide to use this skill: review and sanitize the scripts (remove hard-coded credentials, confirm output path), avoid sharing personal browser profiles with the agent, and restrict the agent's browser/session access to a disposable profile where possible.Like a lobster shell, security has layers — review code before you run it.
bt4gvk9747gqdzdc0fc5981nydrzqns84aerelatestvk9747gqdzdc0fc5981nydrzqns84aeremagnetvk9747gqdzdc0fc5981nydrzqns84aereqbittorrentvk9747gqdzdc0fc5981nydrzqns84aeretorrentvk9747gqdzdc0fc5981nydrzqns84aere
License
MIT-0
Free to use, modify, and redistribute. No attribution required.