Manage torrents with qBittorrent. Use when the user asks to "list torrents", "add torrent", "pause torrent", "resume torrent", "delete torrent", "check download status", "torrent speed", "qBittorrent stats", or mentions qBittorrent/qbit torrent management.
Security Analysis
medium confidenceThe skill appears to do exactly what it claims (manage qBittorrent via its WebUI API); nothing obvious is trying to access unrelated systems, but there are minor metadata omissions and some local credential handling you should be aware of.
The name/description match the shipped script and README: the skill talks to qBittorrent's WebUI API to list/add/pause/resume/delete torrents and adjust limits. However the metadata declares no required binaries or env vars while the script clearly depends on curl and jq (and uses id). That omission is a discrepancy in the manifest, though the binaries themselves are reasonable and expected for this purpose.
SKILL.md and README instruct the agent to read a local config file (~/.clawdbot/credentials/qbittorrent/config.json) or environment variables and then call qBittorrent's local/remote WebUI API. The included script only interacts with the configured QBIT_URL and uses a temporary cookie file under /tmp; it does not attempt to read other unrelated system files or send data to unexpected external endpoints.
There is no install spec (instruction-only with an included helper script). No archives or remote downloads are performed by the skill itself, so there is low install-time risk.
The skill requires qBittorrent credentials (username/password) which is appropriate. Those credentials are expected in a local JSON config file or via QBIT_URL/QBIT_USER/QBIT_PASS env vars (documented in README) but the registry metadata does not list these env vars or the need to store credentials in the filesystem—this mismatch should be noted. The script stores a session SID in /tmp, which is normal for a client script but means credentials are present on disk (config file and cookie).
always:false and normal model invocation are set. The skill does not request persistent system-wide privileges nor modify other skill configurations. It writes a per-user cookie file in /tmp and asks the user to create a local config file; both are limited in scope.
Guidance
This skill appears coherent for managing qBittorrent, but check a few things before installing: (1) Inspect the included scripts yourself — qbit-api.sh uses curl and jq (ensure they exist and are acceptable on your system). (2) The skill requires qBittorrent WebUI credentials stored in a plaintext JSON config (~/.clawdbot/credentials/qbittorrent/config.json) or environment variables; consider file permissions and use a least-privileged account. (3) Ensure QBIT_URL points to a trusted host (prefer localhost) — do not expose credentials to a remote, untrusted WebUI. (4) The registry metadata omits declaring required binaries/envs; if you rely on automatic environment checks, add curl/jq to your environment first. If any of these points are unacceptable (e.g., you cannot store credentials locally or cannot trust the WebUI endpoint), do not enable the skill.
Latest Release
v1.0.0
Initial release of the qBittorrent skill. - Manage torrents using qBittorrent's WebUI API (v4.1+) - Supports listing, adding, pausing, resuming, deleting, and rechecking torrents - Provides quick commands for filtering by status or category - Includes global transfer stats, speed limit controls, and torrent metadata management (categories/tags) - Offers detailed reference for setup and usage in SKILL.md
More by @jmagar
Published by @jmagar on ClawHub
