torrent-search Security Report — Low Risk | ClawSafe

20 /100

torrent-search

搜尋 BT4G 上的 Torrent 檔案，並輸出含 Trackers 的 Magnet 連結；支援直接新增到 qBittorrent

A legitimate torrent search skill that hardcodes qBittorrent WebUI credentials but does not exfiltrate them; network access is confined to declared BT4G and tracker domains.

Skill Nametorrent-search

Duration34.6s

Enginepi

✓

Safe to install

Remove hardcoded credentials from add_to_qbittorrent.py and use environment variables or a config file instead. Otherwise, this skill performs its declared function safely.

Findings 2 items

Severity	Finding	Location
Low	Hardcoded qBittorrent credentials not documented as security consideration Doc Mismatch add_to_qbittorrent.py lines 21-23 hardcode QB_USER='admin' and QB_PASS='adminadmin'. SKILL.md warns about changing the password but does not mention credentials are embedded in source code. No exfiltration is observed, but this is a documentation gap. `QB_USER = "admin" QB_PASS = "adminadmin"` → Move credentials to environment variables or a config file; document the credential handling in SKILL.md	`add_to_qbittorrent.py:21`
Low	network:WRITE to qBittorrent WebUI not explicitly declared in capability section Doc Mismatch SKILL.md describes browser/WebFetch network access but does not explicitly state that the skill makes HTTP POST requests to qBittorrent's WebUI at localhost:8080. This is partially visible in the prose but missing from a formal capability declaration. `SKILL.md describes browser usage and qBittorrent integration but lacks a formal capability declaration for network:WRITE` → Add a formal 'Capabilities' or 'Permissions' section to SKILL.md listing all network endpoints (bt4gprx.com, localhost:8080, tracker URLs)	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md declares write to C:/butler_sumo/docs/torrent/; torrent_search.py lines…
Network	`READ`	`READ+WRITE`	✓ Aligned	SKILL.md declares browser/WebFetch (READ) to bt4gprx.com; add_to_qbittorrent.py …
Database	`WRITE`	`WRITE`	✓ Aligned	SKILL.md line ~216 declares qBittorrent WebUI integration; add_to_qbittorrent.py…
Environment	`NONE`	`READ`	✓ Aligned	add_to_qbittorrent.py reads QB_URL/QB_USER/QB_PASS as hardcoded constants, not f…

12 findings

🔗

Medium External URL 外部 URL

https://bt4gprx.com/search?q=關鍵字

SKILL.md:19

🔗

Medium External URL 外部 URL

https://tracker.zhuqiy.com:443/announce

SKILL.md:189

🔗

Medium External URL 外部 URL

https://tracker.pmman.tech:443/announce

SKILL.md:190

🔗

Medium External URL 外部 URL

https://tracker.nekomi.cn:443/announce

SKILL.md:191

🔗

Medium External URL 外部 URL

https://tracker.moeblog.cn:443/announce

SKILL.md:192

🔗

Medium External URL 外部 URL

https://tracker.bt4g.com:443/announce

SKILL.md:193

🔗

Medium External URL 外部 URL

http://tracker.opentrackr.org:1337/announce

add_to_qbittorrent.py:38

🔗

Medium External URL 外部 URL

http://tracker.torrent.eu.org:451/announce

add_to_qbittorrent.py:39

🔗

Medium External URL 外部 URL

https://tracker.lilith档.com:443/announce

add_to_qbittorrent.py:40

🔗

Medium External URL 外部 URL

https://tr.highhopes.xyz:443/announce

add_to_qbittorrent.py:41

🔗

Medium External URL 外部 URL

https://t.trackers.net:443/announce

add_to_qbittorrent.py:42

🔗

Medium External URL 外部 URL

https://bt4gprx.com/search?q=

torrent_search.py:89

File Tree

4 files · 25.3 KB · 795 lines

Python 2f · 433L Markdown 2f · 362L

├─ 🐍 add_to_qbittorrent.py Python 280L · 9.7 KB

├─ 📝 SKILL_zh.md Markdown 128L · 3.7 KB

├─ 📝 SKILL.md Markdown 234L · 6.7 KB

└─ 🐍 torrent_search.py Python 153L · 5.3 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip (stdlib-equivalent)	No	Version not pinned; no specific CVE exploitation observed

Security Positives

✓ No base64-encoded execution, eval(), or obfuscated code found

✓ No credential harvesting loops or environment variable iteration for sensitive keys

✓ No curl|bash or wget|sh remote script execution

✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive paths

✓ No reverse shell, C2 communication, or data exfiltration to external IPs

✓ No hidden instructions in HTML comments or prompt injection detected

✓ No supply chain risks — only uses the standard 'requests' library, version unpinned but no known vulnerabilities exploited

✓ Pre-scan confirmed no sensitive files (.env, .git/credentials) present

✓ Functionality is entirely consistent with declared purpose: torrent search and qBittorrent integration

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives