Aria2 Json Rpc
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent for controlling aria2, but it can run local helper scripts, store an aria2 RPC secret, and change download state or options.
Install this only if you want an agent to control your aria2 instance. Configure it for the correct host, protect the RPC secret, use HTTPS for remote servers, and confirm destructive, batch, or global-option changes before allowing them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill can start downloads, alter download settings, pause or remove tasks, and clear download-result history on the configured aria2 instance.
The skill exposes shell-invoked RPC operations with user-supplied parameters and includes mutating or batch actions. This is aligned with download management, but users should be aware of the control granted.
Execute the script using the Bash tool with proper parameters ... Download a file | `python3 scripts/rpc_client.py aria2.addUri '["{URL}"]'` ... Remove active download | `python3 scripts/rpc_client.py aria2.remove {GID}` ... Change global options ... Purge download resultsUse it only with the intended aria2 server, verify URLs/torrents before adding them, and ask for confirmation before remove, purge, batch, or global-option changes.
Anyone or any process with access to the token may be able to control downloads on the configured aria2 server.
The skill can use and persist an aria2 RPC secret token in a config file or environment variable. This is expected for authenticated aria2 access, but the token grants control over the RPC endpoint.
`secret` | string/null | `null` | RPC secret token ... Location: `~/.config/aria2-skill/config.json` ... export ARIA2_RPC_SECRET="your-token"
Use a dedicated aria2 RPC secret, keep config files private, prefer HTTPS for remote servers, and avoid committing config files containing secrets.
Installing and invoking the skill lets the agent run the included local Python code to contact aria2.
The skill directs agents to execute bundled Python helper scripts. This is central to the skill's purpose and is openly documented.
ALWAYS use the Python scripts in the `scripts/` directory ... `python3 scripts/config_loader.py test` ... `python3 scripts/rpc_client.py aria2.addUri '["http://example.com/file.zip"]'`
Review the included scripts if possible and run the skill from a trusted installation path.
If WebSocket support is needed, dependency installation could vary by package version or package source.
Optional WebSocket support depends on installing an external Python package without a pinned version in the visible instructions. This is a common setup pattern but should be done from a trusted package source.
WebSocket support requires websockets package (pip install websockets)
Install dependencies from trusted repositories and pin versions if using this skill in a controlled or production environment.