bt-download 安全扫描报告 — 低风险 | ClawSafe

15 /100

bt-download

BT下载助手，支持 aria2 RPC 模式下载、监控和自动做种

A legitimate BT download tool using aria2 RPC with standard shell execution patterns, but missing capability declarations in documentation.

技能名称bt-download

分析耗时27.8s

引擎pi

✓

可以安装

Add explicit shell:WRITE and network:READ declarations to SKILL.md to match actual implementation. Consider adding version pinning for aria2 installation.

安全发现 3 项

严重性	安全发现	位置
低危	Missing shell execution declaration 文档欺骗 SKILL.md does not declare that the skill uses child_process.exec for shell commands. While the commands are legitimate (aria2 installation, RPC checks), the documentation should reflect this capability. `exec('which aria2c && aria2c --version \| head -1', ...)` → Add shell:WRITE to the skill's declared capabilities in SKILL.md	`plugin.ts:77`
低危	Missing network access declaration 文档欺骗 The skill fetches tracker lists from raw.githubusercontent.com but this is not mentioned in SKILL.md `exec('curl -s https://raw.githubusercontent.com/ngosang/...')` → Document that the skill makes outbound HTTPS requests to fetch BT trackers	`plugin.ts:113`
低危	Sudo apt-get for aria2 installation 权限提升 The bt_install_aria2 function uses 'sudo apt-get' which requires elevated privileges. While this is expected for installing system packages, it should be clearly documented. `exec('sudo apt-get update && sudo apt-get install -y aria2')` → Document that this tool requires sudo privileges for installation	`plugin.ts:96`

资源类型	声明权限	推断权限	状态	证据
命令执行	`NONE`	`WRITE`	✗ 越权	plugin.ts:77, plugin.ts:96, plugin.ts:128
网络访问	`NONE`	`READ`	✗ 越权	plugin.ts:113 fetches from github.com
文件系统	`NONE`	`READ`	✗ 越权	plugin.ts:233 reads .torrent files
环境变量	`NONE`	`READ`	✓ 一致	plugin.ts:218 reads DOWNLOAD_DIR env

1 项发现

🔗

中危外部 URL 外部 URL

https://aria2.github.io

SKILL.md:4

目录结构

2 文件 · 20.7 KB · 591 行

TypeScript 1f · 456L Markdown 1f · 135L

├─ 📜 plugin.ts TypeScript 456L · 17.2 KB

└─ 📝 SKILL.md Markdown 135L · 3.4 KB

安全亮点

✓ All network requests go to localhost (RPC) or legitimate BT-related services (GitHub for trackers)

✓ No credential harvesting or sensitive data access detected

✓ No obfuscated code, base64 execution, or reverse shell patterns

✓ Uses standard aria2 RPC protocol for actual downloading

✓ No persistence mechanisms (no cron, no autostart) beyond aria2 process itself

✓ No data exfiltration or C2 communication patterns

✓ Legitimate, well-known open source tool (aria2)