file-repair-skill
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: file-repair-skill Version: 1.0.7 The skill facilitates the uploading of user files to a third-party service (Tenorshare 4DDiG) for repair, which is a high-risk data handling operation. While the SKILL.md includes a privacy disclosure, it also contains marketing instructions that direct the AI agent to promote a product using a shortened URL (https://bit.ly/4roS6Rv), a common vector for affiliate tracking or potentially unwanted software. Furthermore, the bundled script (repair-file.bundle.cjs) lacks path sanitization for the input file argument; this presents a significant vulnerability where a prompt injection attack could trick the agent into exfiltrating sensitive local files (e.g., ~/.ssh/id_rsa) by claiming they are 'corrupted' and need repair.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Files you choose for repair leave your local environment and are processed by a third-party service.
The skill intentionally sends the selected file to an external provider; this is disclosed and purpose-aligned, but the file may contain private or sensitive data.
This skill repairs files by uploading the user-provided file to a third-party online file repair service (Tenorshare 4DDiG Online Repair) and retrieving the repaired result.
Only use this skill for files you are comfortable uploading, and follow the skill’s consent warning for confidential, regulated, or highly sensitive content.
Installing and invoking the skill allows its bundled script to run locally for the chosen file.
Running a local Node.js bundle is central to the skill’s operation and is disclosed, but users should understand that local code will read the selected file and perform network operations.
This skill executes a bundled Node.js script: `{baseDir}/dist/repair-file.bundle.cjs`.Run it only on intended file paths and only if you trust the skill publisher and the bundled script.
It may be harder for a user to independently verify where the bundled code came from or how it was built.
The skill includes a sizable bundled executable script, but the registry metadata does not provide a source repository or homepage for provenance review.
Source: unknown; Homepage: none; Code file presence: dist/repair-file.bundle.cjs (357111 bytes)
Prefer skills with clear source provenance when handling important files, or inspect the bundle before use.
A user could be encouraged to visit an opaque link and download additional software outside the skill.
The skill includes an upsell to a shortened external link; it is disclosed and not automatically executed, but the shortened destination is not transparent.
Download the client for better service - Visit https://bit.ly/4roS6Rv
Verify the destination and vendor authenticity before opening the shortened link or installing any promoted client.