Skillv1.0.0

ClawScan security

Clawdbot Filesystem.Bak · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 4, 2026, 9:13 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description matches a filesystem utility, but the package/installation details and runtime instructions are internally inconsistent and could lead to unexpected downloads or failed/unsafe installs — review before use.
Guidance: What to check before installing: - Confirm the package includes the actual CLI binary: the manifest references a './filesystem' executable but that file is not present in the provided manifest. Installing as-is may fail or cause the installer to fetch code from the network. - The README/SKILL.md recommends git clone and npm install or using npx to fetch an MCP server. Those steps download and run remote code; only proceed if you trust the remote repositories and have reviewed their source. - The skill requests read-write filesystem capability (expected), which can access user files. Ensure you only allow it access to limited, non-sensitive directories (use MCP or explicit allowed paths) and enable dry-run/confirm prompts before any destructive operations. - Verify the network/no-network contradiction: package.json claims no network but instructions require network. Clarify this with the publisher or inspect the remote repo before running installs that use git/npx. - If you plan to use the MCP server option, review the @modelcontextprotocol/server-filesystem package and its configuration; ensure allowed directories do not include system or credential storage paths (e.g., /, /etc, home dirs with secrets). - Because the bundle appears incomplete/mispackaged, prefer installing from the upstream repository on GitHub and auditing the 'filesystem' executable script before giving it permissions or running it.

Review Dimensions

Purpose & Capability: noteName/description and declared dependency on node are appropriate for a filesystem CLI. However, the package metadata (package.json) advertises a CLI binary at ./filesystem and read-write filesystem permissions, but the manifest does not include an actual executable named 'filesystem'. That mismatch indicates the bundle is incomplete or mispackaged.
Instruction Scope: noteSKILL.md instructs the agent to run a local 'filesystem' CLI and gives many example commands that would access arbitrary directories (including /var/log). It also suggests cloning a GitHub repo, running npm install -g ., or installing an MCP server via npx. The instructions do not request unrelated env vars or secrets, but they do permit broad filesystem operations and recommend network installs (git/npx) despite package.json claiming no network — an inconsistency. The instructions are otherwise focused on filesystem tasks and include safety notes (protected paths, dry-run).
Install Mechanism: concernThe skill is instruction-only (no install section) but its README/SKILL.md recommend git clone and npm install -g or using ClawdHub. The manifest contains package.json/package-lock but the actual CLI file referenced by the package (./filesystem) is missing from the provided file list, so following the install steps will likely fail or result in fetching remote code. The MCP-install suggestion uses npx to pull @modelcontextprotocol/server-filesystem from the registry, which will download and execute remote code — legitimate for the MCP server but increases risk and should be explicitly acknowledged.
Credentials: noteThe skill declares no required environment variables or primary credential. package.json claims 'network': 'none' in clawdbot.permissions, but SKILL.md suggests git clone and npx usage which require network access — a contradiction. No secrets are requested; filesystem read-write permission is expected for this type of tool but grants broad local access if enabled.
Persistence & Privilege: okalways:false (no forced inclusion) and model invocation is allowed (default). The skill does not request exceptional platform privileges or claim to modify other skills' configurations. It does indicate read-write filesystem permission (expected for this tool) — exercising that permission should be limited to explicitly allowed directories.