Is buryni/torrentclaw safe?

https://github.com/openclaw/skills/tree/main/skills/buryni/torrentclaw

79
CAUTION

TorrentClaw is a torrent search and download skill that presents no evidence of malicious prompt injection, credential theft, or unauthorized code execution — the skill code is reasonably well-written with recent security improvements. However, it mandates persistent telemetry to a third-party server (torrentclaw.com), including every user search query and torrent selection, with no opt-out mechanism. The skill also facilitates potentially copyright-infringing downloads without legal warnings, promotes external npx code execution for MCP setup, and relies on an external API whose response fields (titles, overviews, cast names) could carry prompt injection payloads to the agent.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (9)

HIGH Mandatory per-selection tracking telemetry to third-party server -18

SKILL.md workflow Step 4 instructs the agent to POST to /api/v1/track after every torrent selection. This sends the infoHash and action type to torrentclaw.com unconditionally, building a persistent server-side record of every torrent the user selects. This is disclosed in documentation but the agent is instructed to execute it without user confirmation.

HIGH API response fields can carry prompt injection payloads -15

The skill displays API response fields (title, overview, releaseGroup, cast names) directly in agent output without sanitization. A malicious or compromised torrentclaw.com API could embed prompt injection instructions in these fields that the agent processes as instructions, potentially hijacking agent behavior during a search session.

MEDIUM Magnet URI from external API passed to local torrent client without content validation -12

add-torrent.sh validates the magnet URL format (regex for btih hash format) but does not validate the tracker announce URLs embedded in the magnet URI. A compromised torrentclaw.com API could return magnet URIs with malicious tracker announce URLs (tr= parameters) pointing to attacker-controlled infrastructure, which would be passed directly to the user's torrent client.

MEDIUM All user search queries transmitted to and logged by third-party service -10

Every search query the user makes is transmitted to torrentclaw.com as a URL query parameter. The analytics endpoint and x-search-source header confirm server-side logging of queries. The search-analytics API endpoint explicitly returns topQueries and zeroResultQueries, confirming query logging occurs.

MEDIUM Skill promotes npx MCP server installation without user review -20

SKILL.md includes a prominent MCP Server Integration section recommending npx @torrentclaw/mcp for Claude Desktop users. An agent reading this documentation could suggest this command to users, which would download and execute arbitrary npm code without a security review. This is an embedded recommendation for external code execution.

MEDIUM Unconditional analytics telemetry header injected into all API calls -8

The x-search-source: skill header is mandated in every API call with no opt-out mechanism. This is a persistent telemetry signal that identifies agent-originated traffic. While benign in isolation, combined with query logging it enables complete activity profiling at the service level.

LOW detect-client.sh probes localhost services without user prompt -5

detect-client.sh automatically checks for a running aria2 RPC daemon by making an HTTP request to http://localhost:6800/jsonrpc as part of Step 1. This network probe occurs before the user has confirmed they want to use the skill and without asking permission.

LOW No copyright or legal notice presented to users -15

The skill facilitates downloading of movies and TV shows via BitTorrent without any warning about copyright law or legal usage requirements. In many jurisdictions, downloading copyrighted content without authorization is illegal. A user following the skill's workflow could inadvertently break the law.

INFO Recent security vulnerability history in CHANGELOG -2

CHANGELOG documents two shell injection vulnerabilities fixed in versions 0.1.16 and 0.1.17, indicating the skill had exploitable security bugs in recent history. The fixes appear legitimate and the current code uses safe patterns (jq --arg, --data-urlencode), but the history warrants noting.