Everything 文件搜索
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly does what it advertises, but it can broadly search local files and return selected file contents, so it deserves careful review before installation.
Install only if you are comfortable giving the agent broad local file-search capability. Use narrow search terms, review results carefully before using the send command, and avoid sending sensitive files unless you explicitly intend to share them.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A selected local file's contents could be placed into the agent/chat context, including private documents if they appear in search results.
The send_file function reads the selected local file and returns its full base64-encoded content. The artifacts do not show a path allowlist, sensitive-directory exclusions, or an extra approval step before returning file contents.
with open(file_path, 'rb') as f:
file_content = f.read()
...
"content": base64.b64encode(file_content).decode('utf-8')Add explicit confirmation before sending, restrict allowed directories or file types, exclude sensitive locations by default, and check file size before reading the file into memory.
File names, full paths, project names, user names, and timestamps may reveal private local information even before any file is sent.
The skill queries Everything's local index and returns full paths, sizes, and timestamps for matching files. The search is not bounded to a user-approved root or exclusion list.
EVERYTHING_REQUEST_FULL_PATH_AND_FILE_NAME | EVERYTHING_REQUEST_SIZE | EVERYTHING_REQUEST_DATE_CREATED | EVERYTHING_REQUEST_DATE_MODIFIED ... everything_dll.Everything_SetSearchW(query) everything_dll.Everything_SetMax(10)
Let users configure allowed search roots and exclusions, warn that full paths will be exposed to the agent, and avoid returning sensitive metadata unless requested.
If the wrong DLL is installed, the skill will load native code from that DLL.
The skill depends on a manually downloaded native DLL that is outside the provided package. This is purpose-aligned for the Everything SDK, but the artifacts do not provide version pinning or hash verification.
从 https://www.voidtools.com/support/everything/sdk/ 下载 Everything SDK ... 将 DLL 文件放置在技能的 `libs` 文件夹中或技能根目录下
Download the SDK only from the official source, verify checksums if available, and avoid placing untrusted DLLs in the skill or configured SDK paths.