file-transfer-thru-local-workspace

The skill implements a 'skill browser' feature in `src/upload-server.js` that allows anyone with the gateway token to download any installed skill bundle from the filesystem as a ZIP file, which could lead to the exfiltration of secrets or configurations stored in other skills. Additionally, the `install.sh` script extracts the primary OpenClaw gateway token/password and stores it in plaintext within a systemd service file (`openclaw-upload.service`), potentially exposing the main authentication secret to other local users. While these behaviors are documented as features in `SKILL.md` and `clawhub.json`, they represent significant security risks and an expanded attack surface.