@openclaw/interchange

The OpenClaw Interchange skill is classified as suspicious due to several critical vulnerabilities, primarily in its file locking and path handling mechanisms. The advisory file locking in `src/lock.js` is susceptible to race conditions during stale lock cleanup and PID reuse, which can lead to broken mutual exclusion and data integrity issues. Additionally, `src/indexer.js` and `src/io.js` exhibit potential path traversal vulnerabilities if `skillName` or `filePath` inputs are not strictly sanitized, allowing writes outside the designated `INTERCHANGE_ROOT`. The `rebuildIndex` function in `src/indexer.js` also contains a race condition by bypassing the robust locking mechanism for master index updates. While there is no evidence of intentional malicious behavior like data exfiltration or backdoor installation, these vulnerabilities could be exploited to cause data corruption, denial of service, or unauthorized file modifications.