Nas Movie Download

Search and download movies via Jackett and qBittorrent. Use when user wants to download movies or videos from torrent sources, search for specific movie titl...

This package appears to do what it says (search torrents via Jackett, add to qBittorrent, download/upload subtitles via SMB), but there are red flags you should consider before installing or running it: - Hard-coded secrets: The bundle contains plaintext credentials and default API keys/URLs (SMB username/password, qBittorrent credentials, Jackett API key and 192.168.* address). Treat these as untrusted—they may be placeholders, but they could also belong to someone else, or be reused later. Replace or remove them and store real credentials in environment variables or a secure secret store. - Metadata mismatch: The registry metadata claims no required env vars/config paths, yet SKILL.md and the files expect and reference config/smb.env and many env variables. This inconsistency could cause accidental use of embedded defaults. Review SKILL.md and all config files and ensure no unwanted credentials remain. - Network effects and legality: The scripts will make network requests to local/Internet hosts and spawn subprocesses (subliminal uses external subtitle providers). Only run in an environment where these network accesses are allowed and legal (torrenting may be illegal in your jurisdiction). Consider running in an isolated network or VM first. - Audit and harden before use: Inspect the entire code bundle (you have it) and remove or rotate embedded credentials, confirm the Jackett/qBittorrent endpoints are yours, and prefer to set environment variables rather than use defaults. If you don't control the referenced SMB/qBittorrent/Jackett hosts, do not run the scripts. - If you need higher assurance: ask the publisher for provenance (who maintains this skill), confirm the embedded credentials are placeholders, and request an updated package that does not include secrets and that documents required env vars/config paths in metadata. Why suspicious not malicious: The code implements the described behavior and does not contain obvious exfiltration backchannels or obfuscated remote endpoints, but the inclusion of real-looking credentials and the metadata mismatch are significant coherence problems that could lead to credential misuse or accidental connection to unknown hosts. More information from the author (or removal/rotation of embedded secrets) could change this to benign.

Type: OpenClaw Skill Name: nas-movie-download Version: 3.2.2 The skill bundle contains numerous high-risk behaviors and severe security vulnerabilities, though they appear to be the result of poor practice rather than intentional malice. Most notably, multiple files (SKILL.md, config/smb.env, and several Python scripts like archive-movie.py) contain hardcoded plaintext credentials for SMB, Jackett, and qBittorrent services. The scripts perform high-privilege operations, including 'sudo mount' commands in download-subtitle-smb.sh and automated package installation via 'pip install' in smb-browser.py. Additionally, generate-subtitle-script.py writes executable shell scripts to the filesystem. While these functions align with the stated purpose of NAS automation, the exposure of credentials and use of high-risk system calls make the bundle a significant security risk.