← Back to Skills Marketplace
311
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install bt-download
Description
BT下载助手,支持 aria2 RPC 模式下载、监控和自动做种
README (SKILL.md)
BT Download (aria2 RPC)
BT 下载助手,支持磁力链接、BT 文件、普通下载链接,支持 RPC 模式和自动做种监控。
功能
- bt_check_aria2 - 检查 aria2 是否已安装
- bt_install_aria2 - 安装 aria2
- bt_get_trackers - 获取最新 BT tracker 列表
- bt_check_dht - 检测 DHT (IPv4/IPv6) 状态
- bt_enable_dht - 开启 DHT 支持
- bt_start_rpc - 启动 aria2 RPC 服务(自动开启 DHT)
- bt_download - 添加下载任务
- bt_get_status - 查询做种状态
- bt_stop_seed - 停止做种任务
- bt_monitor_and_stop - 监控做种并自动停止
快速开始
1. 检查并安装 aria2
bt_check_aria2
bt_install_aria2
2. 启动 RPC 服务
bt_start_rpc
3. 添加下载
磁力链接:
bt_download --url "magnet:?xt=urn:btih:..."
BT 文件:
bt_download --url "/path/to/file.torrent"
普通链接:
bt_download --url "https://example.com/file.ext"
4. 监控做种
bt_get_status
bt_monitor_and_stop --targetRatio 500
参数说明
| 工具 | 参数 | 说明 |
|---|---|---|
| bt_check_dht | - | 检测 DHT 状态 |
| bt_enable_dht | dht | 开启 IPv4 DHT,默认 true |
| bt_enable_dht | dht6 | 开启 IPv6 DHT,默认 true |
| bt_start_rpc | downloadDir | 下载保存目录 |
| bt_start_rpc | seedRatio | 目标做种率,默认 5 |
| bt_start_rpc | seedTime | 最大做种时间(分钟),默认 1440 |
| bt_start_rpc | enableDht | 自动开启 DHT,默认 true |
| bt_download | url | 下载链接、BT 文件路径或磁力链接 |
| bt_download | downloadDir | 保存目录(可选,不填则提示确认) |
| bt_download | useDefaultDir | 直接使用默认目录,跳过确认 |
| bt_download | seedRatio | 目标做种率 |
| bt_download | seedTime | 最大做种时间 |
| bt_stop_seed | gid | 任务 GID(可选) |
| bt_monitor_and_stop | targetRatio | 目标做种率(百分比),默认 500% |
下载确认
当用户调用 bt_download 但未指定 downloadDir 时,会返回确认提示:
{
"needConfirm": true,
"defaultDir": "~/Downloads",
"message": "请确认下载目录:\
1. 使用默认目录: ~/Downloads\
2. 指定其他目录(请回复具体路径)",
"hint": "回复「1」使用默认目录,或回复具体路径指定其他目录"
}
系统默认目录:
- Windows:
C:\Users\\x3C用户名>\Downloads - macOS:
/Users/\x3C用户名>/Downloads - Linux:
/home/\x3C用户名>/Downloads
用户回复后,再次调用 bt_download 并指定目录(或 useDefaultDir: true 直接使用默认)。
做种监控
bt_monitor_and_stop 会:
- 检查当前做种任务的做种率
- 达到目标后自动停止该任务
- 在会话中通知用户
- 保持 aria2 RPC 持续运行
示例返回:
{
"checked": 1,
"stopped": 1,
"notify": "✅ 做种任务已完成,已自动停止:\
• example.bin (已上传 xx.xx GB)"
}
Usage Guidance
This skill appears to implement an aria2-based BT helper, but there are security concerns you should consider before installing or running it:
- RPC exposure: The plugin starts aria2 with --enable-rpc and --rpc-listen-all but does not set an rpc-secret. That will expose aria2's RPC interface to the network and allow remote control of downloads if your host is reachable. If you use this, configure an rpc-secret and/or restrict the RPC bind address to localhost.
- Command injection risk: The plugin constructs shell commands (child_process.exec) that include user-provided values such as download directories and possibly URLs. If the agent or other users can supply crafted input, this could lead to command injection. Only use in trusted environments or after adding proper input sanitation/escaping.
- Privilege elevation for install: The install path runs apt-get with sudo; this requires admin rights and will modify the system.
- Network calls: The tool fetches trackers from a remote GitHub URL and uses curl; ensure your environment policy allows those requests and that you trust the source.
- Mitigations: run the skill in an isolated VM or container, verify and/or modify the plugin to: 1) require or set --rpc-secret, 2) avoid --rpc-listen-all (or bind explicitly to localhost), 3) avoid passing unsanitized user input to shells (use execFile/spawn with args), and 4) review the remainder of the plugin code (the truncated portion) to confirm no hidden endpoints or exfiltration.
If you cannot audit or modify the code, avoid running it on sensitive machines or networks. Additional information that would raise confidence: the rest of plugin.ts showing how it handles user-supplied urls/paths, explicit support for rpc-secret configuration, or explicit input sanitization.
Capability Analysis
Type: OpenClaw Skill
Name: bt-download
Version: 1.0.0
The skill bundle provides BitTorrent management functionality via aria2 but contains several high-risk vulnerabilities. In `plugin.ts`, the `bt_start_rpc` tool is vulnerable to shell command injection because the `downloadDir` parameter is interpolated directly into a command string without sanitization. Additionally, the `bt_download` tool allows for arbitrary file reading if a user-provided path ends in `.torrent`, and the `bt_install_aria2` tool executes high-privilege `sudo apt-get` commands. While these capabilities are aligned with the stated purpose, the lack of input validation and the use of broad permissions pose a security risk.
Capability Assessment
Purpose & Capability
Name, description, SKILL.md and plugin code consistently implement an aria2-based BT download manager (checks/installs aria2, manages RPC, adds downloads, trackers, DHT, monitoring). The required binary aria2c is appropriate.
Instruction Scope
The code and instructions include actions outside simple bookkeeping: it runs shell commands (child_process.exec) that incorporate user-supplied values, fetches tracker lists from GitHub, and starts aria2 with --enable-rpc --rpc-listen-all. There is no handling or mention of securing RPC (no --rpc-secret), no sanitization of user-supplied paths/arguments, and the RPC listen-all default exposes the service to network access. Those behaviors expand scope beyond a minimal download helper.
Install Mechanism
No formal install spec in the package (instruction-only), but SKILL.md contains an apt install suggestion and the plugin's bt_install_aria2 executes apt-get via sudo. Installing via apt is expected for aria2, but it requires elevated privileges and will run arbitrary package manager operations.
Credentials
The skill does not request credentials or secrets and only optionally reads DOWNLOAD_DIR from the environment, which is proportionate. There are no unexpected required env vars.
Persistence & Privilege
always is false (no forced inclusion). The plugin starts a background aria2 process and writes logs to /tmp, which is normal for this use case but increases local attack surface. Combined with rpc-listen-all and lack of authentication, the persistence behavior is risky.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install bt-download - After installation, invoke the skill by name or use
/bt-download - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
初始版本,提供了基于 aria2 RPC 的 BT 下载助手:
- 支持磁力链接、BT 文件和普通链接的下载
- 提供 aria2 安装、检测、启动等辅助工具
- 支持 DHT 检测与启用、自动做种与监控、做种完成自动停止
- 下载目录可灵活指定,未指定时智能提示确认
- 跨平台支持,兼容 Windows、macOS 和 Linux 默认下载目录
Metadata
Frequently Asked Questions
What is BT Download?
BT下载助手,支持 aria2 RPC 模式下载、监控和自动做种. It is an AI Agent Skill for Claude Code / OpenClaw, with 311 downloads so far.
How do I install BT Download?
Run "/install bt-download" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is BT Download free?
Yes, BT Download is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does BT Download support?
BT Download is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created BT Download?
It is built and maintained by n0nsense (@n0nsense11); the current version is v1.0.0.
More Skills