Finder
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: finder Version: 3.0.0 The script 'scripts/script.sh' contains multiple shell injection vulnerabilities because user-provided arguments are passed unquoted to shell commands like 'find' and 'head' (e.g., in cmd_name, cmd_size, and cmd_large). This allows for arbitrary command execution if the input contains shell metacharacters. While the tool's functionality aligns with its description as a file finder, the lack of input sanitization and the presence of unusual padding (large blocks of empty comments) in the script make it high-risk, though there is no explicit evidence of intentional malice or data exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed search argument could make the script behave outside the intended file-search scope, potentially exposing, modifying, or executing actions on local files under the user's account.
These commands use command-line arguments directly in shell-expanded find invocations without quoting or validation. Crafted path or pattern values could be parsed as additional find predicates or actions rather than as data.
find ${3:-.} -name $2 2>/dev/null | head -20
find ${3:-.} -type f -size +${2:-1M} 2>/dev/null | head -20
find ${2:-.} -empty 2>/dev/null | head -20Quote all variable expansions, validate patterns and numeric parameters, use safe arrays for command construction, and prevent user input from becoming arbitrary find expressions or actions.
Users may expect duplicate removal or more reliable search behavior than the implementation actually provides.
The provided script appears to return raw find results truncated with head, and no deduplication behavior is evident in the supplied source. This is a capability mismatch rather than evidence of malicious behavior.
Find files by name, size, date, and type with deduplication.
Treat results as a simple best-effort find output unless the author documents and implements actual deduplication.