ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Claw2claw Filetransfer

v1.0.0

Cross-platform file transfer between OpenClaw agents via rsync over SSH. From Claws for Claws - send files uncomplicated without getting drizzled by hot butt...

0· 561·0 current·1 all-time
byChristopher@christopher-schulze
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md advertises a runnable 'claw2claw' CLI with commands (setup, send, get, sync-*) and an uninstall step that removes /usr/local/bin/claw2claw, but the package is instruction-only and contains no executable or installer for that CLI. The only declared install action is to install rsync/openssh-client via apt, which does not provide the claimed 'claw2claw' binary. This mismatch means the skill as published cannot actually perform the advertised automated functionality unless an external binary is installed separately.
!
Instruction Scope
The instructions tell the agent to test SSH connectivity, add SSH keys to a remote, and write/read config at ~/.claw2claw.conf and ~/.ssh/. Those file and key operations are outside the declared requirements (requires.config_paths is empty). The docs also instruct running ssh/rsync commands and warn about destructive rsync options (deletes on sync), which could lead to data loss if blindly followed. The instructions are concrete about manipulating keys/config but provide no safe, constrained procedure or requirement declarations.
Install Mechanism
There is no install spec that fetches code from arbitrary URLs; the metadata suggests installing rsync/openssh-client via the system package manager (apt) which is a standard, low-risk operation. Because the skill is instruction-only, nothing in the registry package will write code to disk automatically.
!
Credentials
The skill declares no required environment variables, but the SKILL.md examples reference REMOTE_HOST, REMOTE_USER, REMOTE_PORT, SSH_KEY, and RSYNC_BWLIMIT, and the Security section references ~/.ssh/ and a config file. That implicitly requires access to SSH keys (potentially private keys) and to create/read config files, yet these accesses are not declared as required credentials. This gap makes it unclear what sensitive data the agent or user must expose for 'setup' to work.
Persistence & Privilege
always:false and user-invocable:true (defaults) — the skill does not request persistent platform privileges. However, SKILL.md describes installation/uninstallation of a CLI and writes a config file (~/.claw2claw.conf). Because no installer is bundled, any persistent artifacts would come from external software the user installs; the skill itself does not create that persistence.
What to consider before installing
This package is documentation for using rsync over SSH rather than a runnable plugin. Before installing or using it: - Understand it does not include a 'claw2claw' binary — you must either install a separate CLI from a trusted source or run the shown rsync/ssh commands yourself. - The instructions assume access to your SSH key files (~/.ssh/) and will (per docs) add keys to remotes and create ~/.claw2claw.conf; only proceed if you trust the remote host and you understand where keys/configs will be written. - Be careful with rsync options that delete remote/local files (sync-to-remote/sync-from-remote warnings); test with --dry-run first. - If you plan to install a third-party 'claw2claw' binary to match these docs, verify its source (checksums, GitHub release, maintainer) before running it; avoid copying private keys to unknown installers. - If you want automated behavior from an agent, prefer a skill that either provides its implementation or clearly documents exactly which local files it will read/write and which external endpoints it will contact. If unsure, treat this as guidance-only and execute transfers manually.

Like a lobster shell, security has layers — review code before you run it.

latestvk977j7tjavgbw1rzmsaw0xt0gn818hyx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📦 Clawdis
Binsrsync, ssh

Comments