Perkoon Transfer
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent file-transfer skill, but users should notice that it can move local files between humans, agents, and pipelines using npm-based tools.
Install this only if you want your agent to send and receive files. Before each transfer, verify the exact file path, recipient, session code, and whether a password is needed. Do not open or execute received files unless you trust the sender, and prefer the pinned npm commands documented in the skill.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent sends the wrong file or shares the link with the wrong party, private local data could be disclosed.
The skill documents sending an arbitrary user-selected local file via a shell command. This is central to the file-transfer purpose, but a wrong path or recipient could expose private data.
npx -y perkoon@0.3.6 send /path/to/file --json --timeout 1800 > /tmp/perkoon-send.log 2>&1 &
Confirm the exact file path, recipient, and share URL before sending. Use the documented password option for sensitive files.
Files may move between agents or systems without a person watching each step, so an untrusted session code or peer could lead to unintended file exchange.
The skill explicitly supports transferring files between agents without human participation. This is purpose-aligned, but users should control which agents/sessions are trusted.
**Agent → Agent**: CLI to CLI, MCP to MCP, or A2A to A2A. Two machines, no humans in the loop.
Only use session codes and sender keys from trusted peers, and inspect received files before opening or executing them.
Installing from npm gives the package maintainer control over the executable used for file transfers.
The registry install spec names a Node package but does not show an explicit version pin. This is expected for a Node-based CLI, but package provenance and version pinning matter for a transfer tool.
node | package: perkoon | creates binaries: perkoon
Prefer the pinned versions shown in SKILL.md, and install only if you trust the Perkoon npm packages and publisher.
A transfer can remain active for the configured timeout while waiting for a receiver.
The documented CLI workflow backgrounds a transfer process and records its PID. It is disclosed and bounded by a timeout, but it keeps running while the transfer is pending.
echo $! > /tmp/perkoon-send.pid
Let the agent monitor the transfer to completion, and cancel the background process if the transfer should no longer be available.