ClawHub

Aria2 Rpc

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward aria2 remote-control helper, but users should protect the RPC endpoint and token carefully.

Install only if you intend to let the agent control an aria2 instance you own. Prefer binding RPC to localhost or a trusted tunnel, use a strong secret, avoid putting real tokens in shell history, logs, screenshots, or world-readable config files, and review remove, force, bulk, and configuration-changing commands before running them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documentation understates the skill's effective control surface: beyond basic download management, it can modify global and per-task aria2 options and supports additional artifact types such as torrent and metalink. That mismatch can mislead users into granting access to a tool that can reconfigure a downloader, change file destinations or network behavior, and initiate broader download actions than expected.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill exposes additional capability beyond its declared scope: it can read and modify aria2 global and per-task options, not just add/query/pause/resume/remove downloads. In an agent setting, this is dangerous because hidden configuration-changing functionality can be invoked unexpectedly to alter download directories, proxy settings, session behavior, or other operational controls on a local or remote aria2 instance.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide includes an example that passes `--rpc-secret mytoken` directly on the command line for a remote aria2 instance. Command-line arguments are commonly exposed via shell history, process listings, logs, and audit tooling, so this can leak the RPC secret and allow unauthorized remote control of the download service.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The examples place the RPC secret directly on the command line and in shell environment variables without any warning about credential sensitivity. Command-line arguments can be exposed via process listings and shell history, and environment variables may leak through logs, debugging output, or shared session practices, increasing the chance of credential disclosure.

Missing User Warnings

High
Confidence
97% confidence
Finding
The troubleshooting command enables aria2 RPC with `--rpc-listen-all=true`, exposing the control interface on all network interfaces, but provides no warning to restrict access or use transport/network protections. If deployed on an untrusted network or with weak handling of the secret, attackers could remotely control downloads, change settings, or abuse the service, making this especially dangerous given the skill's remote-control purpose.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation encourages storing and supplying RPC secrets via environment variables and a plaintext config file without any warning about exposure risks. In shared systems, shell history, process environments, backups, mis-set file permissions, or accidental publication of config files can leak the token and allow unauthorized remote control of the aria2 instance.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal