Back to skill

Security audit

PT Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed private-tracker and downloader assistant, but it includes broader downloader-control and public-torrent surfaces that users should review before installing.

Install only if you intentionally want an agent to control your configured private trackers and downloader. Review or disable public-site presets, generic magnet adding, immediate-start downloads, and resume-all behavior if you want stricter confirmation or private-tracker-only scope.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes shell commands, accesses files and environment-backed secrets, and can perform networked actions, yet it declares no permissions. This creates a transparency and policy-enforcement gap: hosts or reviewers may treat it as lower-risk than it really is, while the skill can still drive privileged operations such as downloader control and secret resolution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The public description frames the skill as a focused private-tracker assistant, but the content exposes broader operational capabilities including store administration, legacy migration, env-file writing, benchmarking, and validation tooling. That mismatch can mislead users and hosting systems about the real attack surface and enable unintended invocation of sensitive maintenance functions.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The guidance only requires deleting temporary torrent files after a successful handoff, leaving failure-path cleanup unspecified. In a private-tracker context, failed adds can leave .torrent files containing sensitive tracker URLs, identifiers, or passkey-bearing metadata on disk longer than intended, increasing the chance of local disclosure through logs, backups, or other processes.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The catalog includes many entries explicitly marked as type "public" even though the skill metadata says it should only be used for private-tracker requests and should not trigger for public torrents. This creates a real scope-bypass risk: downstream logic can expose public torrent search/download behavior through a skill users and higher-level orchestration may trust as private-tracker-only.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Because the dataset advertises supportedCapabilities such as "search" and "download_torrent" for public sources, the skill materially enables public torrent discovery and handoff beyond its declared purpose. In this context, the mismatch is dangerous because policy, user consent, and calling code may rely on the skill description to constrain behavior, leading to unauthorized or unexpected content acquisition paths.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The `add-magnet` command accepts any `magnet:` URI and forwards it directly to qBittorrent, without restricting the source to private-tracker handoff flows or validating that it came from a prior search/download result. That creates a broader downloader-control capability than the skill description suggests, enabling an agent or prompt-injected workflow to enqueue arbitrary content on the user's downloader.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The resume path supports `--all`, which can start every paused torrent in qBittorrent, extending the skill from informational/PT handoff behavior into broad state-changing downloader administration. In an agent setting, this increases the blast radius of prompt injection or accidental invocation, because a single action can trigger many downloads/uploads at once.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill is designed to hand off downloads immediately to a real downloader, which can cause external side effects such as queueing content, consuming bandwidth/storage, and potentially affecting ratio or account standing. Because the action is operationally significant, omitting a clear warning increases the risk of unintended execution by users who think they are only inspecting results.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly forbids confirmation before starting downloads, but that non-interactive behavior is not prominently disclosed in the skill metadata. In a downloader-integrated context, this can lead to accidental real-world actions with resource, privacy, and tracker-account consequences.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The instruction to immediately run the download command without confirmation removes a safety checkpoint before initiating an external side effect. In this skill, that can cause unintended torrent acquisition, trigger activity on private-tracker accounts, and create legal, privacy, or operational consequences if a result is mis-selected or manipulated.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
`download_torrent` defaults `addPaused` to `False`, so fetching a tracker torrent immediately adds and starts it in qBittorrent unless the caller opted out. In an agent context, default-on execution of a state-changing network action is risky because ambiguous user requests, tool misuse, or prompt injection can cause unintended downloads and possible seeding behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The resume operation performs an immediate state change and can target selected torrents or all torrents, but there is no built-in confirmation or safety interlock in the execution path. That is dangerous in an agent-driven environment because a mistaken or manipulated command can activate paused jobs, causing unexpected bandwidth use, storage consumption, and potential ratio/privacy consequences on private trackers.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The validator dynamically loads and executes repository-local modules via importlib and spec.loader.exec_module() during validation. If a malicious contributor places arbitrary top-level code in scripts/pt_store.py or scripts/pt_runtime.py, running the validator will execute that code immediately, turning a validation step into an arbitrary code execution path.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
10. When the user selects a search result to download, execute immediately with the default downloader and `--start`. Skip confirmation, dry-run, and paused mode unless the user explicitly asked to queue paused. Report `added` / `already_present` / `resumed` with progress when available.
11. Finish with the outcome, current usable state, and the next natural action. Resume the user's original task automatically after setup when possible.

For download handoff on an already-selected result, run one real `download-torrent --start` command immediately. No confirmation step. No dry-run gate. Prefer `--start` unless the user requested a paused add. The runtime returns `already_present` or auto-`resumed` for duplicates/paused items; surface that directly. Keep confirmation only for configuration changes, deletions, or bulk/ambiguous destructive actions.

## Interaction Quality
Confidence
88% confidence
Finding
No confirmation

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
7. Present one redacted confirmation summary before enabling or changing configuration. After confirmation, run a harmless health check when the host can resolve the reference; otherwise mark it `pendingHealthCheck`.
8. Fetch and persist sanitized account statistics after successful tracker validation when supported. Record a redacted repair status when refresh fails.
9. Present search results as a numbered, paginated list with title, size, seeders, publish time, and discount state when available. Keep private URLs and passkeys hidden.
10. When the user selects a search result to download, execute immediately with the default downloader and `--start`. Skip confirmation, dry-run, and paused mode unless the user explicitly asked to queue paused. Report `added` / `already_present` / `resumed` with progress when available.
11. Finish with the outcome, current usable state, and the next natural action. Resume the user's original task automatically after setup when possible.

For download handoff on an already-selected result, run one real `download-torrent --start` command immediately. No confirmation step. No dry-run gate. Prefer `--start` unless the user requested a paused add. The runtime returns `already_present` or auto-`resumed` for duplicates/paused items; surface that directly. Keep confirmation only for configuration changes, deletions, or bulk/ambiguous destructive actions.
Confidence
83% confidence
Finding
Skip confirmation

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution, suspicious.exposed_secret_literal, suspicious.insecure_tls_verification

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/validate_skill.py:192

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/common-site-apis.md:140

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/message-workflow.md:695

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
scripts/validate_skill.py:243