Intent-Code Divergence
Medium
- Confidence
- 99% confidence
- Finding
- The documentation claims the RPC secret should be replaced with a placeholder or environment variable, but the example embeds a real-looking fixed token directly in the request. Hardcoded secrets in skill content can be reused by anyone with access to the skill, enabling unauthorized control of the local aria2 RPC service and any connected automation such as post-download transfer and deletion hooks.
