Finder
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed search argument could make the script behave outside the intended file-search scope, potentially exposing, modifying, or executing actions on local files under the user's account.
These commands use command-line arguments directly in shell-expanded find invocations without quoting or validation. Crafted path or pattern values could be parsed as additional find predicates or actions rather than as data.
find ${3:-.} -name $2 2>/dev/null | head -20
find ${3:-.} -type f -size +${2:-1M} 2>/dev/null | head -20
find ${2:-.} -empty 2>/dev/null | head -20Quote all variable expansions, validate patterns and numeric parameters, use safe arrays for command construction, and prevent user input from becoming arbitrary find expressions or actions.
Users may expect duplicate removal or more reliable search behavior than the implementation actually provides.
The provided script appears to return raw find results truncated with head, and no deduplication behavior is evident in the supplied source. This is a capability mismatch rather than evidence of malicious behavior.
Find files by name, size, date, and type with deduplication.
Treat results as a simple best-effort find output unless the author documents and implements actual deduplication.