ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aria2 Download

v1.0.0

通过 Aria2 RPC 添加下载任务,支持实时进度监控。

0· 309·0 current·0 all-time
byIngress@ingress007
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, and download.sh all focus on aria2 RPC operations and progress monitoring. Environment variables declared in SKILL.md (ARIA2_RPC_URL, ARIA2_SECRET, ARIA2_DIR) are appropriate for this purpose. Minor mismatch: registry metadata listed no required env vars while SKILL.md documents them.
Instruction Scope
Instructions and the script limit actions to interacting with the configured Aria2 RPC (adding tasks, querying status, monitoring). The agent is not instructed to read arbitrary files or send data to third‑party endpoints beyond the user-specified RPC URL.
Install Mechanism
No install spec (instruction-only with an included script). Nothing downloads or executes remote code during install. The runtime does assume typical CLI tools are available (curl, node) but does not declare or install them.
Credentials
Requested secrets (ARIA2_SECRET) and RPC URL are proportional to the skill's functionality. However the registry metadata lists no required env vars while SKILL.md and the script do rely on ARIA2_RPC_URL, ARIA2_SECRET, and ARIA2_DIR — an inconsistency the user should be aware of.
Persistence & Privilege
Skill is not always-enabled and is user-invocable; it does not request persistent system-wide privileges or modify other skill configurations.
Assessment
This skill appears to do what it says: control an aria2 RPC and show progress. Before installing or running it: 1) Ensure you trust the configured ARIA2_RPC_URL — any secret (ARIA2_SECRET) you provide will be sent to that RPC endpoint; only point to aria2 instances you control/ trust. 2) The script uses curl and node at runtime but the registry declares no required binaries; make sure curl and node are available (or adapt the script to use jq/other tools). 3) There is a small bug in add_download when no ARIA2_SECRET is set: the payload uses the literal string "URL" instead of the variable ($URL) — you may want to fix that before use. 4) Review/modify ARIA2_DIR and network exposure of aria2 RPC (bind to localhost or use firewall/auth) to avoid remote misuse. 5) As with any script that talks to network services, review the code and run it in an isolated environment if you have security concerns.

Like a lobster shell, security has layers — review code before you run it.

latestvk9715key77eqxr3sgh4597g31h82bn0g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

⬇️ Clawdis

Comments