← Back to Skills Marketplace
hansponddg

Background Download

by hansponddg · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
95
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install background-download
Description
Asynchronous background download with retry, status tracking via Ontology, notifications to original channel. Supports resume on broken connections.
README (SKILL.md)

Background Download Skill

中文:后台异步下载技能

  • 非阻塞下载,不占用主会话
  • 支持断点续传,自动重试
  • 通过 Ontology 跟踪状态
  • 结果通知到原请求渠道

Asynchronous background file download with:

  • Non-blocking: returns immediately to user, downloads in background
  • Resumeable: uses curl/wget built-in continue (-c)
  • Retry: configurable max retries (default 3)
  • Status tracking: all tasks stored in Ontology knowledge graph
  • Notification: sends completion/failure notification to original channel
  • Housekeeping: heartbeat cleans up zombie tasks, archives old completed tasks

Commands

start - Start a new background download

python3 scripts/download.py start --title "Title" --url "https://example.com/file.zip" --path "/path/to/save/file.zip" --channel "feishu:direct:user_id" [--max-retries 3]

status - Check download status by task id

python3 scripts/download.py status --id down_xxxxxxx

list - List all download tasks filtered by status

python3 scripts/download.py list [--status pending|downloading|completed|failed|archived]

archive - Archive old completed tasks

python3 scripts/download.py archive --days 7

cleanup-zombies - Mark stale downloading tasks as failed

python3 scripts/download.py cleanup-zombies --hours 2

Architecture

User requests download
  ↓
Create DownloadTask in Ontology (status=pending)
  ↓
Fork background download process, exit immediately (non-blocking)
  ↓
Background:
  Update status → downloading
  Loop:
    Download with curl -C - (resume)
    If success:
      Update status → completed
      Send notification to original channel
      Done
    If fail:
      retry_count += 1
      If retry_count \x3C max_retries: wait 30s → retry
      Else:
        Update status → failed
        Send failure notification to original channel
        Done

Heartbeat daily:
  cleanup-zombies --hours 2
  archive --days 7

Ontology Schema

See references/schema.json for DownloadTask definition.

Required properties:

  • title: Human-readable download name
  • url: Download URL
  • path: Local path to save file
  • status: pending|downloading|completed|failed|archived
  • retry_count: Current number of retries
  • max_retries: Maximum retries (usually 3)
  • created_by_channel: Original channel identifier (channel_type:channel_id:user_id) for notification

Usage Example

# From another skill
from scripts.download import start_download
start_download(
    title="Obsidian Windows",
    url="https://github.com/obsidianmd/obsidian-releases/releases/download/v1.12.4/Obsidian-1.12.4.exe",
    path="/home/user/files/Obsidian.exe",
    channel="feishu:direct:ou_xxxxxxx",
    max_retries=3
)

Notification

Completion/failure notifications are sent via openclaw message send to the original channel recorded in created_by_channel.

Requirements

  • ontology skill must be installed and initialized
  • curl or wget available on system
Usage Guidance
This skill appears to do what it claims (background downloads tracked in Ontology and notifications), but its implementation is risky rather than malicious. Key concerns to check before installing: - The code builds shell commands (ontology invocation, curl, openclaw message) by concatenating user-provided strings without escaping — this is vulnerable to shell injection. Review and/or patch the code to use argument lists or proper escaping (e.g., shlex.quote) and avoid shell=True. - The script assumes a hard-coded ontology script path under ~/.openclaw/...; confirm that this path is correct and that the referenced ontology CLI is trusted and safe. - Notifications include URL and file path information — decide whether that could leak sensitive URLs or filesystem locations to channels. - Background processes persist outside the agent session; run this skill in a restricted environment or with limited filesystem/network permissions if possible. - If you plan to let other skills call start_download programmatically, ensure callers cannot pass malicious values for 'url', 'path', or 'channel'. If you cannot audit and harden the code (escape shell args, validate inputs, or call the ontology/openclaw APIs safely), treat this skill as unsafe to enable in production.
Capability Analysis
Type: OpenClaw Skill Name: background-download Version: 1.0.0 The skill contains multiple critical shell injection vulnerabilities in `scripts/download.py` due to the unsafe use of `subprocess.run(shell=True)` with unsanitized user inputs. Specifically, the `do_download`, `send_notification`, and `run_ontology_cmd` functions interpolate variables like `url`, `path`, and `message` directly into shell strings, which could allow an attacker to execute arbitrary commands. While the code's logic aligns with its stated purpose of background downloading, the high-risk implementation of command execution warrants a suspicious classification.
Capability Assessment
Purpose & Capability
Name/description (background, resume, retry, ontology tracking, notifications) align with the code and SKILL.md. Requiring an ontology skill and a message/CLI for notifications is expected for the described behavior. The need for curl/wget is justified.
Instruction Scope
The SKILL.md and code instruct the agent to create and update DownloadTask entities and to send notifications to the original channel — all consistent. However, the runtime instructions and code execute many shell commands (calling an ontology script, performing curl, invoking 'openclaw message send') and interpolate user-supplied strings into shell commands without escaping. The code also double-forks to create detached background processes. These behaviors expand the runtime scope considerably and introduce injection and operational risks that are not called out in the SKILL.md.
Install Mechanism
No install spec; the skill is instruction-plus-code only. Nothing is downloaded from external URLs during install. This is low install risk, but the code will execute commands at runtime.
Credentials
The skill declares no env vars, which is consistent. But it assumes a specific local path for the ontology script (~/.openclaw/.../ontology/scripts/ontology.py) and uses the 'openclaw' CLI; these implicit dependencies and path assumptions grant it access to local agent memory and messaging. Notifications include URLs and paths which could leak sensitive info to channels. The skill accepts arbitrary URL/path/channel inputs which are directly interpolated into shell commands — disproportionate risk relative to a simple downloader unless inputs are strictly validated/escaped.
Persistence & Privilege
The skill forks detached background processes to perform downloads and relies on scheduled cleanup/archiving. It does not request 'always: true' or modify other skill configs, but the background process model means the skill will run independently of the parent session. This is expected for background downloads but increases the blast radius if the code is abused (e.g., to download arbitrary content or perform repeated network calls).
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install background-download
  3. After installation, invoke the skill by name or use /background-download
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Slug background-download
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Background Download?

Asynchronous background download with retry, status tracking via Ontology, notifications to original channel. Supports resume on broken connections. It is an AI Agent Skill for Claude Code / OpenClaw, with 95 downloads so far.

How do I install Background Download?

Run "/install background-download" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Background Download free?

Yes, Background Download is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Background Download support?

Background Download is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Background Download?

It is built and maintained by hansponddg (@hansponddg); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments