bt-download Security Report — Low Risk | ClawSafe

15 /100

bt-download

BT下载助手，支持 aria2 RPC 模式下载、监控和自动做种

A legitimate BT download tool using aria2 RPC with standard shell execution patterns, but missing capability declarations in documentation.

Skill Namebt-download

Duration27.8s

Enginepi

✓

Safe to install

Add explicit shell:WRITE and network:READ declarations to SKILL.md to match actual implementation. Consider adding version pinning for aria2 installation.

Findings 3 items

Severity	Finding	Location
Low	Missing shell execution declaration Doc Mismatch SKILL.md does not declare that the skill uses child_process.exec for shell commands. While the commands are legitimate (aria2 installation, RPC checks), the documentation should reflect this capability. `exec('which aria2c && aria2c --version \| head -1', ...)` → Add shell:WRITE to the skill's declared capabilities in SKILL.md	`plugin.ts:77`
Low	Missing network access declaration Doc Mismatch The skill fetches tracker lists from raw.githubusercontent.com but this is not mentioned in SKILL.md `exec('curl -s https://raw.githubusercontent.com/ngosang/...')` → Document that the skill makes outbound HTTPS requests to fetch BT trackers	`plugin.ts:113`
Low	Sudo apt-get for aria2 installation Priv Escalation The bt_install_aria2 function uses 'sudo apt-get' which requires elevated privileges. While this is expected for installing system packages, it should be clearly documented. `exec('sudo apt-get update && sudo apt-get install -y aria2')` → Document that this tool requires sudo privileges for installation	`plugin.ts:96`

Resource	Declared	Inferred	Status	Evidence
Shell	`NONE`	`WRITE`	✗ Violation	plugin.ts:77, plugin.ts:96, plugin.ts:128
Network	`NONE`	`READ`	✗ Violation	plugin.ts:113 fetches from github.com
Filesystem	`NONE`	`READ`	✗ Violation	plugin.ts:233 reads .torrent files
Environment	`NONE`	`READ`	✓ Aligned	plugin.ts:218 reads DOWNLOAD_DIR env

1 findings

🔗

Medium External URL 外部 URL

https://aria2.github.io

SKILL.md:4

File Tree

2 files · 20.7 KB · 591 lines

TypeScript 1f · 456L Markdown 1f · 135L

├─ 📜 plugin.ts TypeScript 456L · 17.2 KB

└─ 📝 SKILL.md Markdown 135L · 3.4 KB

Security Positives

✓ All network requests go to localhost (RPC) or legitimate BT-related services (GitHub for trackers)

✓ No credential harvesting or sensitive data access detected

✓ No obfuscated code, base64 execution, or reverse shell patterns

✓ Uses standard aria2 RPC protocol for actual downloading

✓ No persistence mechanisms (no cron, no autostart) beyond aria2 process itself

✓ No data exfiltration or C2 communication patterns

✓ Legitimate, well-known open source tool (aria2)

Scan Report

Findings 3 items

File Tree

Security Positives