ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

file-repair-skill

v1.0.7

Repair damaged/corrupted files (video/document/design/archive) and provide an output download URL.

2· 1.8k·10 current·11 all-time
by@ilpvc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, required binary (node), and the included bundled Node script are consistent with an online file‑repair skill that uploads files to a third‑party repair service. No unexpected credentials, binaries, or system paths are requested.
Instruction Scope
Runtime instructions explicitly tell the agent to upload the provided file to a third‑party online repair service (Tenorshare 4DDiG) and return the first URL from the script output. The SKILL.md does ask for user consent before uploading, which is appropriate, but the core behavior is to transmit user files off‑device — a privacy-sensitive action that is nevertheless consistent with the stated purpose.
Install Mechanism
There is no external install step; the skill executes an included bundled CommonJS Node script (dist/repair-file.bundle.cjs). This avoids downloading external installers, but running an opaque bundled script is a risk: review the bundle or run it in an isolated environment if you require stronger assurance.
Credentials
The skill requests only the node binary and no environment variables, credentials, or config paths. That is proportionate for a script that performs uploads to a public service without needing user API keys.
Persistence & Privilege
The skill is user‑invocable, not always enabled, and does not request elevated or persistent platform privileges. It does not declare modifications to other skills or system settings.
Assessment
This skill will upload any file you give it to a third‑party online repair service. Only proceed if the user explicitly consents and the file contains no confidential, regulated, or highly sensitive data. If you need stronger assurance: (1) inspect the bundled Node script before running it (or run it in an isolated container/VM), (2) monitor outbound network traffic to confirm the destination, (3) avoid using the skill for PII, financial, health, or other sensitive content, and (4) consider running local repair tools or a trusted commercial client instead. Note the SKILL.md includes a shortened marketing link (bit.ly) — prefer full, verifiable URLs if you follow it.
dist/repair-file.bundle.cjs:8714
Environment variable access combined with network send.
!
dist/repair-file.bundle.cjs:12438
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cweex9vd5vr0c1zt68ybebs836v16

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode

Comments