ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

rename-fill

v1.0.0

Rename files in a specified directory with a given prefix. This skill prompts the user for a prefix and directory path, shows a preview of changes, and asks...

0· 59·0 current·0 all-time
byxyz@git-xyz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md and the included Node.js script all describe a batch file-renaming tool that prepends a prefix. The presence of a single small script is proportionate. Minor inconsistency: skill registry name 'rename-fill' vs SKILL.md/name 'rename-file', but this is likely cosmetic.
!
Instruction Scope
SKILL.md instructs the agent to show a preview and ask for confirmation before executing the rename. The included script prints a preview but does not offer a dry-run or pause for interactive confirmation; if the agent executes the script to 'preview', the script will proceed to rename immediately. This mismatch between the narrative preview step and the script's behavior is the key incoherence and could lead to accidental renames if the agent runs the script for previewing.
Install Mechanism
Instruction-only skill with a small bundled script; no install steps, package downloads, or external installers. Lowest-risk install profile.
Credentials
No environment variables, credentials, or config paths requested. The skill requires Node.js to be present, which is consistent with the shipped JavaScript script.
Persistence & Privilege
No elevated persistence requested (always:false). The skill does not request to modify other skills or system-wide settings.
What to consider before installing
This skill appears to do what it says (batch-rename files), but do not run the included script simply to 'preview' changes: the script prints a preview and then performs renames with no dry-run or interactive confirmation. Before installing or invoking: 1) Test the script in a safe disposable directory to confirm behavior. 2) Ensure the agent implementation generates the preview itself (read directory listing) and only runs the script after explicit user confirmation. 3) Ask the author to add a --dry-run flag or an explicit confirmation prompt to the script, or modify the runtime so the script is executed only after the user confirms. 4) Back up important files before using on real data.

Like a lobster shell, security has layers — review code before you run it.

latestvk978sxmc4t8jhjjr3xkpd4khp983877q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments