ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

findFilePath

v1.0.0

Helps locate local files by searching common directories for a specified file name or partial name on Windows, macOS, and Linux.

0· 402·0 current·0 all-time
by@fidods
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name and description (find local files) match the contents of SKILL.md. The skill requests no binaries, no environment variables, and no install — all proportionate for a read-only file-search helper.
Instruction Scope
SKILL.md instructs the agent to search common directories (Home, Desktop, Documents, Downloads) and optionally the entire disk. The instructions are high-level and do not specify which OS commands or APIs will be used. That makes the scope coherent but ambiguous: a full-disk search can read paths to sensitive files, and the skill's claim that it 'does not upload or share files' is a policy statement in prose, not an enforceable constraint.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk (nothing written to disk by an installer).
Credentials
No environment variables, credentials, or config paths are required — appropriate for a local file-search utility.
Persistence & Privilege
always:false and no special privileges requested. The skill may be invoked autonomously by the agent (platform default), which is normal; if you are concerned about privacy, control autonomous invocation in the agent settings.
Assessment
This skill appears to do what it says (search local folders for file names) and doesn't request credentials or installs. However: (1) a full-disk search can reveal sensitive file paths — consider restricting searches to specific directories (Home, Documents) rather than allowing entire-disk scans; (2) the SKILL.md's statement that it 'does not upload or share files' is not technically enforced by the skill metadata — confirm how the agent will handle and where it will display or transmit results before use; (3) the skill source is unknown — if you need higher assurance, ask the publisher for the exact commands/APIs the skill uses or request the SKILL.md be expanded to list platform-specific search methods, or run it in a sandboxed environment first; and (4) if you are worried about autonomous runs, disable autonomous invocation for this skill or limit its permissions in your agent configuration.

Like a lobster shell, security has layers — review code before you run it.

latestvk9791a9kav0qzmtmq3rfqgt0rd829vpj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments