← Back to Skills Marketplace
1979
Downloads
3
Stars
6
Active Installs
10
Versions
Install in OpenClaw
/install nas-movie-download
Description
Search and download movies via Jackett and qBittorrent. Use when user wants to download movies or videos from torrent sources, search for specific movie titl...
Usage Guidance
This package appears to do what it says (search torrents via Jackett, add to qBittorrent, download/upload subtitles via SMB), but there are red flags you should consider before installing or running it:
- Hard-coded secrets: The bundle contains plaintext credentials and default API keys/URLs (SMB username/password, qBittorrent credentials, Jackett API key and 192.168.* address). Treat these as untrusted—they may be placeholders, but they could also belong to someone else, or be reused later. Replace or remove them and store real credentials in environment variables or a secure secret store.
- Metadata mismatch: The registry metadata claims no required env vars/config paths, yet SKILL.md and the files expect and reference config/smb.env and many env variables. This inconsistency could cause accidental use of embedded defaults. Review SKILL.md and all config files and ensure no unwanted credentials remain.
- Network effects and legality: The scripts will make network requests to local/Internet hosts and spawn subprocesses (subliminal uses external subtitle providers). Only run in an environment where these network accesses are allowed and legal (torrenting may be illegal in your jurisdiction). Consider running in an isolated network or VM first.
- Audit and harden before use: Inspect the entire code bundle (you have it) and remove or rotate embedded credentials, confirm the Jackett/qBittorrent endpoints are yours, and prefer to set environment variables rather than use defaults. If you don't control the referenced SMB/qBittorrent/Jackett hosts, do not run the scripts.
- If you need higher assurance: ask the publisher for provenance (who maintains this skill), confirm the embedded credentials are placeholders, and request an updated package that does not include secrets and that documents required env vars/config paths in metadata.
Why suspicious not malicious: The code implements the described behavior and does not contain obvious exfiltration backchannels or obfuscated remote endpoints, but the inclusion of real-looking credentials and the metadata mismatch are significant coherence problems that could lead to credential misuse or accidental connection to unknown hosts. More information from the author (or removal/rotation of embedded secrets) could change this to benign.
Capability Analysis
Type: OpenClaw Skill
Name: nas-movie-download
Version: 3.2.2
The skill bundle contains numerous high-risk behaviors and severe security vulnerabilities, though they appear to be the result of poor practice rather than intentional malice. Most notably, multiple files (SKILL.md, config/smb.env, and several Python scripts like archive-movie.py) contain hardcoded plaintext credentials for SMB, Jackett, and qBittorrent services. The scripts perform high-privilege operations, including 'sudo mount' commands in download-subtitle-smb.sh and automated package installation via 'pip install' in smb-browser.py. Additionally, generate-subtitle-script.py writes executable shell scripts to the filesystem. While these functions align with the stated purpose of NAS automation, the exposure of credentials and use of high-risk system calls make the bundle a significant security risk.
Capability Assessment
Purpose & Capability
Name/description (Jackett + qBittorrent + SMB subtitle fetching) align with the included scripts: search, add magnet to qBittorrent, wait for completion, and download/upload subtitles via SMB. The code implements the stated capabilities.
Instruction Scope
SKILL.md and scripts instruct the agent to access network services (Jackett, qBittorrent, subtitle providers) and an SMB share—this is expected. However SKILL.md documents environment variables and a config file but the skill metadata declares no required env vars or config paths; the packaged files read/write config/smb.env and embed defaults. The instructions also reference running many scripts that will attempt SMB and HTTP access and run subprocesses (subliminal), which is within scope but broad.
Install Mechanism
No install spec; this is an instruction + code bundle. That lowers supply-chain risk compared with remote downloads. Scripts rely on system binaries (python3, curl, jq, subliminal) but none are installed by the skill itself.
Credentials
Although the registry metadata lists no required environment variables or primary credential, the SKILL.md and many scripts expect and embed sensitive values: JACKETT_API_KEY, QB_USERNAME/QB_PASSWORD, SMB_USERNAME/SMB_PASSWORD, and a private IPv4 address (192.168.1.246). Multiple files include plaintext credentials and server addresses (config/smb.env and numerous scripts). Requesting network credentials for the services the skill uses is reasonable, but bundling valid-seeming credentials in code/config and not declaring them in metadata is inconsistent and risky.
Persistence & Privilege
The skill does not request always:true and contains no install-time hooks or modifications to other skills. It runs when invoked and doesn't claim persistent system-level privileges beyond normal network/SMB access.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install nas-movie-download - After installation, invoke the skill by name or use
/nas-movie-download - Provide required inputs per the skill's parameter spec and get structured output
Version History
v3.2.2
修复 SMB 字幕下载兼容性,优化错误处理
v3.2.1
优化字幕下载逻辑,增强 SMB 稳定性,新增自动归档功能
v3.2.0
扩大字幕源范围至全部9个provider,提升字幕找到率;优化字幕下载脚本结构;添加字幕与分辨率无关的说明
v1.1.0
v1.1.0: 新增自动归档功能,支持将下载完成的电影从SSD移动到机械硬盘,并自动删除qBittorrent种子
v3.1.1
## Changelog v3.1.1
- No changes detected in this version.
- Functionality and documentation remain the same as previous release.
v3.1.0
修复 jq 语法错误:将 contains 改为 test 正则匹配;添加 .Results 数组访问前缀
v3.0.0
Add SMB subtitle download support with subliminal integration
v1.0.2
## v1.0.2
- Added new scripts: `download-subtitle-remote.sh` and `download-subtitle-smb.sh`
- Updated metadata in `_meta.json`
v1.0.1
Automatic subtitle download support added.
- New `subtitle-download.sh` script for downloading subtitles using OpenSubtitles.
- `download-movie.sh` updated with options to enable automatic subtitle fetching (`-s`) and wait for download completion (`-w`).
- Multi-language subtitle support (default: zh-cn,en).
- Subtitle configuration and usage instructions added to documentation.
- New dependencies: OpenSubtitles API key, `bc`.
v1.0.0
Initial release of the NAS Movie Download skill.
- Automates searching and downloading movies using Jackett and qBittorrent.
- Supports searching by movie name, including non-English titles.
- Automatically selects the highest available quality (4K/UHD, 1080p, 720p, etc.).
- Provides scripts for searching, downloading, and manually managing torrents.
- Includes configuration guidance, troubleshooting tips, and best practice recommendations.
- Requires curl, jq, and Bash for operation.
Metadata
Frequently Asked Questions
What is Nas Movie Download?
Search and download movies via Jackett and qBittorrent. Use when user wants to download movies or videos from torrent sources, search for specific movie titl... It is an AI Agent Skill for Claude Code / OpenClaw, with 1979 downloads so far.
How do I install Nas Movie Download?
Run "/install nas-movie-download" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Nas Movie Download free?
Yes, Nas Movie Download is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Nas Movie Download support?
Nas Movie Download is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Nas Movie Download?
It is built and maintained by Roger (@roger0808); the current version is v3.2.2.
More Skills