Skillv1.0.0

ClawScan security

BT Download · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 14, 2026, 4:20 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill generally matches its stated purpose (controlling aria2 for BT downloads) but contains insecure defaults and several execution patterns (shell exec with user data, starting aria2 with rpc-listen-all and no auth) that are disproportionate or risky and should be fixed or mitigated before use.
Guidance: This skill appears to implement an aria2-based BT helper, but there are security concerns you should consider before installing or running it: - RPC exposure: The plugin starts aria2 with --enable-rpc and --rpc-listen-all but does not set an rpc-secret. That will expose aria2's RPC interface to the network and allow remote control of downloads if your host is reachable. If you use this, configure an rpc-secret and/or restrict the RPC bind address to localhost. - Command injection risk: The plugin constructs shell commands (child_process.exec) that include user-provided values such as download directories and possibly URLs. If the agent or other users can supply crafted input, this could lead to command injection. Only use in trusted environments or after adding proper input sanitation/escaping. - Privilege elevation for install: The install path runs apt-get with sudo; this requires admin rights and will modify the system. - Network calls: The tool fetches trackers from a remote GitHub URL and uses curl; ensure your environment policy allows those requests and that you trust the source. - Mitigations: run the skill in an isolated VM or container, verify and/or modify the plugin to: 1) require or set --rpc-secret, 2) avoid --rpc-listen-all (or bind explicitly to localhost), 3) avoid passing unsanitized user input to shells (use execFile/spawn with args), and 4) review the remainder of the plugin code (the truncated portion) to confirm no hidden endpoints or exfiltration. If you cannot audit or modify the code, avoid running it on sensitive machines or networks. Additional information that would raise confidence: the rest of plugin.ts showing how it handles user-supplied urls/paths, explicit support for rpc-secret configuration, or explicit input sanitization.

Review Dimensions

Purpose & Capability: okName, description, SKILL.md and plugin code consistently implement an aria2-based BT download manager (checks/installs aria2, manages RPC, adds downloads, trackers, DHT, monitoring). The required binary aria2c is appropriate.
Instruction Scope: concernThe code and instructions include actions outside simple bookkeeping: it runs shell commands (child_process.exec) that incorporate user-supplied values, fetches tracker lists from GitHub, and starts aria2 with --enable-rpc --rpc-listen-all. There is no handling or mention of securing RPC (no --rpc-secret), no sanitization of user-supplied paths/arguments, and the RPC listen-all default exposes the service to network access. Those behaviors expand scope beyond a minimal download helper.
Install Mechanism: noteNo formal install spec in the package (instruction-only), but SKILL.md contains an apt install suggestion and the plugin's bt_install_aria2 executes apt-get via sudo. Installing via apt is expected for aria2, but it requires elevated privileges and will run arbitrary package manager operations.
Credentials: okThe skill does not request credentials or secrets and only optionally reads DOWNLOAD_DIR from the environment, which is proportionate. There are no unexpected required env vars.
Persistence & Privilege: notealways is false (no forced inclusion). The plugin starts a background aria2 process and writes logs to /tmp, which is normal for this use case but increases local attack surface. Combined with rpc-listen-all and lack of authentication, the persistence behavior is risky.