Ftp Client
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: ftp-client Version: 0.1.0 The skill implements a functional FTP/FTPS client but contains a security vulnerability in `scripts/ftp-utils.mjs` where it explicitly disables SSL certificate verification (`rejectUnauthorized: false`). This configuration exposes FTPS connections to Man-in-the-Middle (MITM) attacks. While the code aligns with its stated purpose of file management and uses the legitimate `basic-ftp` library, the intentional bypass of security defaults is a high-risk flaw.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
FTP usernames, passwords, file listings, and transferred files could be exposed or modified by a network attacker if FTPS traffic is intercepted.
For FTPS connections, the script disables TLS certificate validation by default. That is not clearly disclosed in SKILL.md and can allow man-in-the-middle interception even when the user selects FTPS.
accessOpts.secureOptions = { rejectUnauthorized: false, };Only use this with trusted servers and networks unless certificate validation is restored. Prefer changing the code to validate certificates by default and add an explicit option for self-signed servers.
A mistaken or autonomous invocation could delete remote server content.
The skill exposes destructive remote file operations, including recursive directory deletion. This is disclosed and aligned with an FTP client, but it is high-impact if invoked on the wrong path.
node {baseDir}/scripts/delete.mjs "/remote/dir" --dir ... Remove directory recursively (including all contents)Use a least-privilege FTP account, confirm remote paths before deletion or overwrite operations, and avoid granting this skill access to production directories unless needed.
Anyone or any agent workflow using this skill can perform actions allowed by the configured FTP account.
The skill requires FTP credentials in the FTP_CONNECTION environment variable. This is expected for the stated purpose, but it gives the agent the same FTP permissions as that account.
host:port,username,password,active/passive,ftp/ftps,explicit/implicit
Use a dedicated FTP account with only the directories and permissions needed, and rotate the password if it may have been exposed.
A future dependency update could change behavior or introduce vulnerabilities.
The skill relies on an npm dependency with a caret version range, so future compatible versions may be installed. The dependency is central to the FTP purpose, but the version is not fully pinned.
"dependencies": { "basic-ftp": "^5.0.5" }Pin dependencies or use a lockfile/provenance review when installing in sensitive environments.