← Back to Skills Marketplace

Aria2 Rpc

Name: Aria2 Rpc
Author: killgfat

by KGTAF · GitHub ↗ · v0.1.2

cross-platform ⚠ suspicious

420

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install aria2-rpc

Description

Remote control for aria2 download service via JSON-RPC 2.0. Supports adding downloads (HTTP/FTP/Torrent/Magnet), querying task status, pausing/resuming, and...

README (SKILL.md)

aria2-rpc Skill

通过 JSON-RPC 2.0 协议远程控制 aria2 下载服务。

功能

添加 HTTP/FTP/Magnet/Torrent 下载
查询任务状态、暂停/继续/删除任务
获取全局统计和配置
支持远程 aria2 实例和 RPC 认证

安装

# 安装依赖
pip3 install requests

# 配置 aria2（启用 RPC）
aria2c --enable-rpc --rpc-listen-all=true --rpc-secret=mytoken -D

快速开始

# 添加下载
python3 /root/.openclaw/workspace/skills/aria2-rpc/scripts/aria2_rpc.py add-uri "http://example.com/file.zip" --rpc-secret mytoken

# 查看进度
python3 scripts/aria2_rpc.py tell-active --rpc-secret mytoken

环境变量

export ARIA2_RPC_URL="http://localhost:6800/jsonrpc"
export ARIA2_RPC_SECRET="your-secret-token"

脚本路径

主脚本: /root/.openclaw/workspace/skills/aria2-rpc/scripts/aria2_rpc.py

详细文档

Usage Guidance

This skill appears to be a straightforward aria2 JSON-RPC client and is internally consistent. Before installing, check these small issues: (1) the metadata lists curl as a required binary even though the Python client uses requests — curl is not necessary; (2) the docs show running aria2c to enable RPC but aria2c is not declared as a required binary — if you plan to control a local aria2 instance you must have aria2/aria2c available; (3) be careful which RPC URL and secret you supply — the script will send commands (and in the case of add-torrent/add-metalink will read local files you point it at and encode/send them) to whatever RPC endpoint is configured; ensure that endpoint is trusted; (4) review scripts/aria2_rpc.py yourself if you need higher assurance. If you only intend to control a local aria2 instance, use defaults and keep ARIA2_RPC_SECRET private.

Capability Analysis

Type: OpenClaw Skill Name: aria2-rpc Version: 0.1.2 The skill is designed to remotely control an aria2 download service via JSON-RPC, which inherently involves network and file system interactions. While its core functionality is legitimate, the `scripts/aria2_rpc.py` script exposes several capabilities that could be abused if an attacker can control the inputs (e.g., via prompt injection against the OpenClaw agent). These include: 1) Local File Read (LFR) vulnerability: The `add_torrent` and `add_metalink` methods read local files (e.g., `torrent_path`) and send their base64-encoded content to the aria2 RPC server. An attacker could potentially trick the agent into providing a path to a sensitive file, leading to its exfiltration to the aria2 server. 2) Local File Write (LFW) / Configuration Manipulation vulnerability: The `add-uri` command allows specifying `--dir` and `--out` options, and `set-global-option`/`set-option` allow setting arbitrary aria2 configuration keys (e.g., `dir`, `save-session`, `user-agent`, `all-proxy`). This could be exploited to write files to arbitrary locations on the aria2 server's filesystem or manipulate its behavior. 3) Arbitrary Network Requests: The `rpc-url` can be controlled by environment variables or command-line arguments, allowing the script to make requests to arbitrary internal or external endpoints. The `SKILL.md` also grants broad `Bash(aria2:*)` permissions, further increasing the attack surface. These are significant vulnerabilities, but the code does not show clear evidence of intentional malicious behavior (e.g., exfiltrating data to an unauthorized third party, installing backdoors).

Capability Assessment

ℹ Purpose & Capability

The name/description (aria2 RPC client) align with the included Python client and docs. The metadata lists required binaries as curl and python3; the shipped client uses python3+requests (no use of curl in the code), and the docs mention running aria2c to enable RPC but aria2/aria2c is not listed as a required binary — this is a small inconsistency in metadata vs. instructions, not a functional mismatch.

✓ Instruction Scope

SKILL.md instructs the agent/user to install requests, enable aria2 RPC, set ARIA2_RPC_URL/ARIA2_RPC_SECRET, and run the provided script. The runtime instructions and script operate on aria2 RPC endpoints and only read local files when explicitly asked (e.g., reading a .torrent/.metalink file supplied by the user). There are no instructions to read arbitrary system files, exfiltrate data to unexpected endpoints, or perform actions outside the aria2 domain.

✓ Install Mechanism

This is an instruction-only skill (no installer). The only runtime dependency is the requests Python package (installable via pip); no external downloads or archive extraction are performed by the skill itself.

✓ Credentials

No credentials are required by the registry metadata. The skill accepts optional ARIA2_RPC_URL and ARIA2_RPC_SECRET environment variables as expected for an RPC client. It does not request unrelated secrets or multiple unrelated environment variables.

✓ Persistence & Privilege

always is false and the skill is user-invocable; it does not request persistent/always-on privilege or attempt to modify other skills or global agent configuration. File paths referenced are the skill's own script location or user-supplied files.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install aria2-rpc
After installation, invoke the skill by name or use /aria2-rpc
Provide required inputs per the skill's parameter spec and get structured output

Version History

v0.1.2

v0.1.2: Cleaned up test files and README.md for cleaner distribution

v0.1.1

- Removed README.md to streamline documentation. - Removed scripts/test_installation.py to clean up testing files. - No functional or interface changes in this version.

v0.1.0

Initial release. - Remote control for aria2 download service via JSON-RPC 2.0. - Supports adding downloads (HTTP/FTP/Torrent/Magnet), querying task status, pausing/resuming, and removing tasks. - Compatible with both local and remote aria2 instances. - Includes documentation for setup, usage examples, and configuration. - Requires curl, python3, and the requests Python package.

v0.0.2

v0.0.2: Restructured documentation - moved detailed docs to references/, refined SKILL.md, added API_REFERENCE.md and USAGE.md

Metadata

Slug aria2-rpc

Version 0.1.2

License —

All-time Installs 2

Active Installs 2

Total Versions 4

Frequently Asked Questions

What is Aria2 Rpc?

Remote control for aria2 download service via JSON-RPC 2.0. Supports adding downloads (HTTP/FTP/Torrent/Magnet), querying task status, pausing/resuming, and... It is an AI Agent Skill for Claude Code / OpenClaw, with 420 downloads so far.

How do I install Aria2 Rpc?

Run "/install aria2-rpc" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Aria2 Rpc free?

Yes, Aria2 Rpc is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Aria2 Rpc support?

Aria2 Rpc is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Aria2 Rpc?

It is built and maintained by KGTAF (@killgfat); the current version is v0.1.2.

More Skills