Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Skill Auto Attach
v1.0.0Monitors workspace for new or updated .html, .md, .txt files and automatically attaches them to Telegram messages instead of showing code.
⭐ 0· 644·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The claimed purpose (monitor workspace and attach .html/.md/.txt files to Telegram) roughly matches the script's observed behavior (watching a directory and sending files via the OpenClaw message tool). However there are important mismatches: the SKILL.md instructs installation under ~/.openclaw/skills and expects to work with the current workspace, while the script hard-codes WATCH_DIR=/home/elodyzen/.openclaw/workspace. The SKILL.md claims file-type filtering (.html/.md/.txt) but the script does no extension filtering and will copy and send any regular file it detects.
Instruction Scope
SKILL.md is high-level and omits several runtime details that the script performs. The script watches file creation/modify events, copies files to /tmp, and sends them via openclaw message send --target=telegram --media=...; it does not prompt the user or restrict which files are sent. The instructions do not mention the required inotifywait binary or that any file type may be transmitted. The script logs to a hard-coded user path and will run continuously once enabled.
Install Mechanism
There is no install spec (instruction-only skill with an included script), which reduces risk of arbitrary downloads. However the script depends on inotifywait (from inotify-tools) and the openclaw message CLI, neither of which are declared in SKILL.md's requirements — this is an operational mismatch that could cause silent failures or unexpected behavior when those binaries are present/absent.
Credentials
The skill requests no credentials and doesn't reach out to unknown endpoints; it sends files through the platform's message tool (expected). Nevertheless, the hard-coded WATCH_DIR and LOG_FILE point to a specific user's home (/home/elodyzen), which is disproportionate and brittle — on multi-user systems this may point at the wrong directory. More importantly, because the script does not filter by extension, it can exfiltrate arbitrary files from the watched directory (including secrets) to a Telegram channel without per-file confirmation.
Persistence & Privilege
The skill is not marked always:true and doesn't request system-wide config changes. It will run a long-lived watcher process once enabled and write logs under its own skill directory and temp files under /tmp. That persistent monitoring combined with unrestricted file sending increases risk of accidental data leakage, but it does not itself indicate privilege escalation.
What to consider before installing
This skill contains clear mismatches and some risky behavior — do not enable it without review. Specific recommendations: (1) Inspect and modify the script to use the correct workspace path (prefer using the runtime-provided workspace path or an environment variable rather than /home/elodyzen). (2) Add explicit extension filtering (only .html, .md, .txt) and/or a whitelist/confirmation step before sending files. (3) Declare and check for required binaries (inotifywait / inotify-tools and the openclaw message tool) in SKILL.md. (4) Avoid hard-coded paths for logs and workspace; use configurable paths. (5) Test in an isolated environment (with no secrets) to verify behavior. (6) Consider adding an opt-in prompt or per-file approval before transmitting files to Telegram. If you cannot make these changes or verify the message tool's target is the intended Telegram channel, treat the skill as potentially leaking sensitive files and do not install it in production.Like a lobster shell, security has layers — review code before you run it.
latestvk973rd719q81cffjhyckyzczp5816ckf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.