ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Finder

v3.0.0

Find files by name, size, date, and type with deduplication. Use when searching filesystems.

0· 276·0 current·0 all-time
by@bytesagain3
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description align with the included assets: SKILL.md documents commands that call scripts/script.sh, and that script implements searching by name, size, date, type, emptiness, and largest files. No unrelated credentials, binaries, or downloads are requested.
Instruction Scope
SKILL.md instructs the agent to run the bundled shell script; the script only invokes local find/sort/head utilities and writes no data externally. Minor concern: the script creates ~/.local/share/finder/ and claims data is stored there, but the script does not actually write persistent data beyond creating the directory. Also some command arguments in the script are unquoted (e.g., find ${3:-.} -name $2), which can lead to unexpected word-splitting or glob expansion if arguments contain whitespace or shell metacharacters—sanitizing or quoting user-provided arguments would be safer.
Install Mechanism
No install specification or external downloads; instruction-only with a single shell script included in the package. Low risk from install mechanism.
Credentials
The skill requests no environment variables, credentials, or config paths. It reads $HOME to create a per-user data directory, which is proportionate to the declared Data Storage location.
Persistence & Privilege
always:false and no modifications to other skills or system-wide settings. The script creates a per-user directory (~/.local/share/finder) but does not modify other agent configs or request elevated privileges.
Assessment
This skill appears coherent and local-only: it runs a bundled shell script that uses find/sort/head to list files and does not call external services or request secrets. Before installing, review whether you or your agent will pass untrusted input to the script—because several arguments are unquoted, crafted inputs with spaces or shell metacharacters could behave unexpectedly. If you plan to use it in automation, either ensure arguments are sanitized/quoted or patch the script to properly quote variables (e.g., use "${var}" in find invocations). Also note the script creates ~/.local/share/finder but currently doesn't persist other data; that is harmless but worth being aware of.

Like a lobster shell, security has layers — review code before you run it.

latestvk970d08v9329xqhjzfcrx21ar98377fz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments