Security audit

Aria2 Downloader

Security checks across malware telemetry and agentic risk

Overview

This skill coherently controls a user-configured aria2 download server, with the main caution being careful handling of the local RPC token file.

Install only if you intend to let Codex control your aria2 server. Keep .aria2-config.json out of version control, restrict access to it, prefer HTTPS for the JSON-RPC URL, and rotate the aria2 token if the file is exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README instructs users to place a secret RPC token in a plaintext config file in the workspace root without any warning about credential exposure, accidental commits, or file permission hygiene. In agent/workspace contexts, root-level files are commonly accessible to other tools or easily committed to version control, which could expose control of the remote aria2 service.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal