Aria2 Downloader
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill has a coherent downloader purpose, but it embeds a fixed aria2 RPC token and describes automatic cloud transfer plus local deletion without clear scope, credentials, or safety controls.
Only install this if you understand and control the aria2 daemon, RPC secret, 115 cloud account, and completion hook. Replace the hard-coded RPC token with your own secret, review any transfer script before enabling it, and disable automatic deletion unless you have a clear backup and recovery plan.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may try to use or lead the user to reuse an exposed fixed RPC secret, and anyone who can reach that RPC service with the secret could manage downloads.
The text says a user-specific RPC secret should be used, but the command examples embed a fixed token for controlling the local aria2 daemon; the registry metadata also declares no required credential or env var.
RPC 密钥: 请在指令中使用 `<YOUR_RPC_SECRET>` 或配置环境变量 ... "params":["token:e603c18b871468e81ec2b2458d3356e5",["<URL>"]]
Remove the hard-coded token, declare a required user-owned secret or config variable, and instruct users to rotate any copied token and keep aria2 RPC bound to localhost.
Downloaded files could be uploaded and local copies deleted automatically, so mistakes in the hook or download target could cause unwanted data movement or data loss.
Automatic upload to cloud storage followed by local deletion is a high-impact action, but the artifact does not define which files are affected, when user approval is required, how deletion is limited, or how recovery works.
下载完成后自动转存到 115 网盘并删除本地文件 ... 建议在 `aria2.conf` 中配置 `on-download-complete` 钩子.
Require explicit user confirmation before transfer and deletion, restrict actions to a specific download directory, log each action, and provide a clear recovery or no-delete option.
Users may need to install or enable unreviewed local automation that can access cloud storage and delete local files.
The key transfer-and-delete automation depends on a host-side script that is not included in the artifact set, so its provenance, permissions, deletion behavior, and credential handling cannot be reviewed.
本 Skill 需要配合主机端的自动转存脚本使用。
Provide the exact script, trusted source, version, and checksum, or document a safe manual workflow instead of relying on an unspecified helper.
Files may leave the local machine and be stored in 115 cloud storage under unclear account and folder settings.
The skill sends completed downloads to an external cloud provider, but does not specify the account, destination, credential scope, privacy boundary, or user approval model.
下载完成后自动转存到 115 网盘
Declare the 115 account/credential requirements, destination folder, and upload scope, and ask the user before transferring files.
The downloader and hook may keep running after the user’s immediate request is finished.
Daemon mode and completion hooks are expected for an aria2 automation skill, but they are persistent background mechanisms that can continue operating outside a single chat turn.
aria2 以 daemon 模式运行,通过 RPC 接口管理任务。 ... `on-download-complete` 钩子
Ensure the daemon and hook are intentionally enabled, easy to disable, and limited to the intended download directory and account.