Local File Manager 1.0.0

Security checks across malware telemetry and agentic risk

Overview

This is a plausible local file manager, but it uses unsafe shell execution and has inconsistent file-boundary claims that make installation risky without review.

Install only in a disposable or tightly sandboxed workspace. Do not trust the cwd-only claim unless the shell wrapper is replaced with safe argument handling and path validation, logging is kept inside the workspace or explicitly opted into, and destructive actions require clear confirmation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The documentation claims the skill is sandboxed to the current working directory, yet later examples and configuration reference writing to /var/log and logging to ~/.openclaw/logs, both outside cwd. This contradiction undermines trust boundaries and could permit unexpected access to host files or leakage of sensitive data beyond the advertised sandbox.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill description says operations are limited to the session working directory, but the markdown documents behavior that accesses paths outside cwd. Misrepresenting scope is dangerous because agents may use the skill in contexts where cwd-only access is acceptable, while the implementation or operator guidance may actually touch broader filesystem locations.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: A cwd-scoped file manager does not need to write logs under the user's home directory or rely on environment-controlled paths for log placement without strong constraints. This expands the skill's effective reach and can create data leakage, tampering, or path-abuse opportunities outside the advertised sandbox.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill invokes a shell script through exec() and concatenates user-controlled arguments into a command string. Because action, path, dir, content, and pattern are inserted without shell escaping, an attacker can inject shell metacharacters and execute arbitrary commands, exceeding the stated local file-management purpose.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The code claims 'safe file I/O within cwd' but actually builds a shell command from untrusted input and delegates enforcement to an external script. In this context, that mismatch is dangerous because callers may trust the safety guarantee while the implementation permits command injection and potentially access outside the intended working directory.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The advertised capability says the skill is for reading, writing, appending, and listing files, but the implementation also supports mkdir and delete. This is a real security-relevant mismatch because agents or users may grant or invoke the skill under the assumption that it is non-destructive, while the hidden extra actions expand its authority to modify and remove filesystem state.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The delete action introduces destructive behavior that is broader than the stated purpose of safely persisting and reading local files. In an agent setting, this increases the risk of unintended data loss because a caller may use the tool expecting safe file management semantics, while the tool can permanently remove files without stronger policy checks.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The manifest metadata presented to users says the skill is for reading, writing, appending, and listing files in the session working directory, but the actual description expands behavior to directory traversal, search, move, and delete operations. This mismatch can mislead users or higher-level policy checks about the skill's real capabilities, increasing the chance that destructive or privacy-impacting actions are granted under an understated description.

Scope Creep

Medium

Confidence: 95% confidence
Finding: The permissions grant read, write, and delete access to all paths under ~/.openclaw/workspace/**, which is broader than the stated 'session working directory' scope. If the skill is invoked in a narrower context, this broader access could be used to modify or remove unrelated workspace files, causing data loss or unauthorized access across projects.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The delete operation performs rm immediately once the path check passes, with no confirmation prompt, no force-separation between dry-run and execution, and no requirement for an explicit acknowledge flag. In the context of an agent skill that manages local files, this makes accidental or manipulated file deletion more dangerous because a single mistaken invocation can cause irreversible data loss.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal