File Organizer Skill
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: file-organizer-skill Version: 1.0.0 The `scripts/organize.py` skill is suspicious due to a critical file movement vulnerability in its `undo` functionality. The `undo` function takes a user-supplied `log_file` path without sufficient validation. This `log_file` is parsed as JSON, and its `src` and `dst` fields are directly used in `shutil.move(dst, src)`. An attacker could craft a malicious `organize_history.json` file containing arbitrary `src` and `dst` paths, allowing them to move any file on the system (e.g., `/etc/passwd` to `/tmp/backup` or vice-versa) by executing the skill with the `--undo` flag, leading to potential data tampering, denial of service, or privilege escalation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run on the wrong folder, or with recursive mode unintentionally, it may move many local files into new folders.
The script can move local files, and the optional recursive mode can broaden the operation to many files under the chosen directory. This is purpose-aligned for a file organizer but should be used intentionally.
parser.add_argument("--recursive", action="store_true", help="Deep scan") ... shutil.move(file_path, final_dest)Run with --dry-run first, choose a narrow directory, and use --recursive only when you deliberately want subfolders reorganized.
The history file may reveal filenames and paths, and undo relies on the contents of that file.
The script persists a local history file containing source and destination file paths so undo can replay the moves.
self.history.append({"src": file_path, "dst": final_dest}) ... json.dump(self.history, f, indent=2)Keep organize_history.json private, use undo only with a trusted history file generated by this script, and delete the history when it is no longer needed.