ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Taildrop

v1.0.0

Download files from Tailscale Taildrop inbox to local storage. Use when user wants to retrieve files sent via Tailscale or mentions Taildrop.

0· 499·0 current·0 all-time
byRoaming@cortexuvula
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description and the provided script both target Tailscale Taildrop retrieval and are consistent with each other. Minor incoherence: the registry metadata lists no required binaries, but the SKILL.md and script clearly require the 'tailscale' CLI to be installed and (optionally) operator privileges; the skill should have declared that dependency.
Instruction Scope
SKILL.md instructs the agent/user only to run the included script and to set Tailscale operator or use sudo when needed; it does not attempt to read unrelated files or exfiltrate data. Caveat: the script constructs a command string and calls it via eval, which introduces a command-injection risk if untrusted input is passed as the target directory. The README also suggests making the user a Tailscale operator (a system-level change) which broadens the scope of the operation.
Install Mechanism
This is an instruction-only skill with no install spec and no external downloads—low installation risk.
Credentials
The skill requests no environment variables or external credentials, which is appropriate. It does, however, advise running 'sudo tailscale set --operator=$USER' (or using sudo per-run) so the script can access tailscale file commands without sudo; this requires elevated privileges and affects Tailscale configuration, which is relevant and worth review before granting.
Persistence & Privilege
The skill does not request permanent platform presence (always:false) and does not modify other skills or agent configurations. The only privilege elevation discussed is the optional Tailscale operator setting, which is external to the skill and performed by the user via sudo.
Assessment
This skill appears to do what it says (download Taildrop files), but review these points before installing or running it: - Ensure the 'tailscale' CLI is installed from an official source; the skill should have declared this dependency. - The SKILL.md suggests setting your account as a Tailscale operator with sudo. That is a system-level change; understand what operator privileges mean for your Tailscale setup before doing it. If you prefer, run the script with sudo per-download instead of permanently changing operator status. - The script uses eval to run the constructed command. Avoid passing untrusted or specially-crafted directory paths to the script (do not call it with user-supplied input you don't control) because that can enable command injection. Consider removing eval or using an array-based exec if you plan to modify the script. - If you are cautious, inspect and run the script manually (not as root) to verify behavior on a disposable test machine or directory before using it in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk976vt4fcr8myc57e7xfbg6mph81pz2xstablevk976vt4fcr8myc57e7xfbg6mph81pz2x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments