Finder
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a local file-finding skill with no network or credential use, but its shell script passes search inputs into filesystem commands unsafely.
Only use this skill with trusted, simple search paths and patterns. Avoid passing unusual characters, spaces that are not carefully handled, or user-provided strings as search inputs until the script is fixed to quote and validate arguments.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed search argument could make the script behave outside the intended file-search scope, potentially exposing, modifying, or executing actions on local files under the user's account.
These commands use command-line arguments directly in shell-expanded find invocations without quoting or validation. Crafted path or pattern values could be parsed as additional find predicates or actions rather than as data.
find ${3:-.} -name $2 2>/dev/null | head -20
find ${3:-.} -type f -size +${2:-1M} 2>/dev/null | head -20
find ${2:-.} -empty 2>/dev/null | head -20Quote all variable expansions, validate patterns and numeric parameters, use safe arrays for command construction, and prevent user input from becoming arbitrary find expressions or actions.
Users may expect duplicate removal or more reliable search behavior than the implementation actually provides.
The provided script appears to return raw find results truncated with head, and no deduplication behavior is evident in the supplied source. This is a capability mismatch rather than evidence of malicious behavior.
Find files by name, size, date, and type with deduplication.
Treat results as a simple best-effort find output unless the author documents and implements actual deduplication.