Back to skill

Security audit

Aria2 Json Rpc

Security checks across malware telemetry and agentic risk

Overview

This skill transparently lets an agent control an aria2 download manager, with expected risks around starting, stopping, and monitoring downloads.

Install this only if you want an agent to manage your aria2 instance. Keep the RPC secret private, prefer localhost or TLS-protected remote RPC, review URLs and torrent/metalink files before adding them, and require confirmation before remove, purge, pause-all, resume-all, or global option changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation instructs the agent to invoke local Python scripts that can read and write configuration files, access environment-derived settings, make network requests to an aria2 RPC endpoint, and execute via shell, yet no explicit permissions are declared. This creates a trust and consent gap: an agent or platform may underestimate the skill’s ability to modify local files, contact arbitrary hosts, and trigger download-related actions, increasing the risk of unintended side effects or SSRF-like access to internal services through configured RPC endpoints.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This reference documents active download-triggering RPC methods such as aria2.addUri, aria2.addTorrent, and aria2.addMetalink with direct execution examples, but does not warn that using them causes network access, may write files to disk, and may fetch untrusted or legally sensitive content. In an agent skill context, that omission can lead an automated system to initiate downloads from user-supplied URLs or torrent/metalink data without explicit consent or safety checks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide documents destructive operations such as removing active downloads and purging/removing download results without instructing the agent to obtain explicit user confirmation or warn about data-loss consequences. In an agent setting, this raises the risk of unintended deletion of task history or active jobs from ambiguous natural-language requests, especially because the workflow encourages direct execution from parsed intent.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The helper script list includes `add-torrent.py`, but the execution guide does not warn that supplying a local `.torrent` file causes the agent to ingest local content and trigger outbound network activity to trackers/peers. In a natural-language agent context, that can cause unintended data handling and external communication from a loosely specified request.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The client explicitly allows insecure WebSocket transport by constructing a ws:// URL whenever secure is false, and it injects the aria2 authentication secret into RPC parameters. If this is used over an untrusted network, an attacker on-path can observe or tamper with authentication tokens and JSON-RPC traffic, potentially issuing unauthorized download-manager commands. In this skill context, the risk is real because the component is designed to control downloads remotely, but it is somewhat mitigated when used only against localhost or a trusted private network.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.