Aria2 Json Rpc
v0.1.0Interact with aria2 download manager via JSON-RPC 2.0. Manage downloads, query status, and control tasks through natural language commands. Use when working with aria2, download management, or torrent operations.
⭐ 1· 1.5k·1 current·2 all-time
by@azzgo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the implementation: scripts provide JSON-RPC calls, command mapping, config loader, and examples for aria2 operations (addUri, addTorrent, tellStatus, pause, etc.). The code and docs all align with a download-manager control skill; nothing requested (no required env vars or binaries) is unexpected for this purpose.
Instruction Scope
SKILL.md instructs agents to run the included Python scripts and to load configuration from config files or ARIA2_RPC_* environment variables. This is expected. Two important runtime behaviors to be aware of: (1) helper scripts (e.g., add-torrent) read local files (a .torrent file is base64-encoded and sent to the aria2 server) — meaning the skill can transmit file contents to the configured RPC endpoint; (2) aria2 will fetch arbitrary URLs on request, which can be used to probe or access internal resources (SSRF-like behavior). These are functional features for a download manager but represent sensitive operations that require a trusted remote endpoint and careful handling of paths/inputs.
Install Mechanism
Instruction-only install (no install spec); code files are bundled with the skill. No external downloads or unusual install steps are requested by the skill metadata. Dependencies (Python 3.6+ and optional websockets package) are reasonable and documented in SKILL.md.
Credentials
The skill does not require environment variables but supports optional ARIA2_RPC_* overrides (host, port, path, secret, secure, timeout). This is proportional for connecting to an aria2 server. However, the secret token (ARIA2_RPC_SECRET) is sensitive; the skill's config precedence gives environment variables highest priority so users must avoid exposing secrets in public CI logs or repo-tracked skill config. CONFIG.md documents best practices (chmod, .gitignore), which is good.
Persistence & Privilege
The skill does not request always:true and makes no claim to modify other skills or global agent settings. It will create/use a user config at ~/.config/aria2-skill/config.json when initialized, which is reasonable for preserving user settings across skill updates.
Assessment
This skill appears to be what it says: a local agent wrapper around aria2's JSON-RPC. Before installing or using it, consider the following:
- Only point this skill at aria2 servers you trust. The scripts will instruct aria2 to fetch arbitrary URLs you supply — that can be used to access internal network resources (SSRF) or to make the aria2 host fetch content on your behalf.
- Be careful with add-torrent / add-torrent-file operations: the scripts read local .torrent files (base64-encode and send them). Do not provide paths to sensitive local files; a misused add-torrent call could upload arbitrary file contents to the aria2 RPC endpoint.
- Protect the secret: ARIA2_RPC_SECRET is supported and may be supplied via env vars or user config. Do not commit secrets to repo-tracked skill config (use ~/.config/aria2-skill or CI secrets) and set file permissions (e.g., chmod 600) as recommended in CONFIG.md.
- If you will connect to a remote aria2 instance, prefer HTTPS and a secret token; verify the server operator and network exposure. Consider using a locally hosted aria2 instance if you need to minimize exposure.
- Review the bundled scripts (rpc_client.py, websocket_client.py, add-torrent example) before running them in environments with sensitive data to ensure they only perform the expected RPC calls.
If you want higher assurance, request a focused review of rpc_client.py and scripts/examples/add-torrent.py (full sources) to confirm exactly how files are read and how RPC payloads are constructed and logged.Like a lobster shell, security has layers — review code before you run it.
latestvk97fsn0p1m2saad75h0av0sn4n80k56g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.