File Upload to Local Workspace

Type: OpenClaw Skill Name: file-upload-to-local-workspace Version: 3.0.1 The skill bundle implements a local file upload service but includes a 'hidden' skill-downloading API (/api/skills/) that is not listed in the main SKILL.md or clawhub.json features. This API is vulnerable to path traversal via the 'skillName' parameter (e.g., using '..'), which allows an authenticated user to zip and download the entire OpenClaw workspace, potentially including sensitive configuration files like openclaw.json. While the skill includes extensive security documentation (SECURITY-AUDIT.md) and mirrors the existing Gateway authentication for safety, the inclusion of an undocumented, high-risk exfiltration capability in src/upload-server.js warrants a suspicious classification.