ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Disk Usage

v1.0.0

Show disk usage of a directory or file in human-readable format. Use when the user wants to know how much space a folder or file takes.

0· 70·0 current·0 all-time
by목진왕@jinwangmok
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose is to show disk usage for a file or directory. The SKILL.md example (du -sh <PATH>) would support files or directories, but the provided run.sh explicitly rejects non-directory arguments (it checks [ ! -d "$DIR_PATH" ] and errors). That mismatch between description and the runnable script is an inconsistency a user should be aware of.
Instruction Scope
Both SKILL.md and run.sh limit actions to running du on local filesystem paths, sorting results, and printing the total. There are no network calls, no reading of unrelated files or environment variables, and no exfiltration. Note: run.sh uses the shell glob DIR/* so it will omit hidden (dot) entries and may behave differently on empty directories (shell glob expansion), which is a functional caveat rather than a security issue.
Install Mechanism
No install spec — instruction-only plus a small helper script. Nothing is downloaded or written to disk by an installer; risk from installation is minimal.
Credentials
The skill declares no required environment variables or credentials and the code does not reference any environment secrets. Required binary du is appropriate for the stated purpose.
Persistence & Privilege
The skill does not request permanent or elevated presence (always=false). It does not modify other skills or system configs and does not request privileged access.
What to consider before installing
This skill appears safe to run from a security perspective: it uses only the local du command, asks for no credentials, and contains no network calls. However, there is a functional inconsistency: the description and SKILL.md say it works for files or directories, but the included run.sh explicitly rejects non-directory arguments and lists only non-hidden entries (DIR/*), so hidden files/directories won’t be shown. Before installing or running, inspect run.sh (you already have it) and confirm it matches what you need. If you need file support or inclusion of hidden files, modify the script (e.g., allow files, and use du -sh "$DIR_PATH" or adjust globbing). Only run code from sources you trust; although no malicious behavior is evident, verifying the script is good practice.

Like a lobster shell, security has layers — review code before you run it.

latestvk978zf4a2wkz5b3d0tnecafzhn83sqft

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💾 Clawdis
Binsdu

Comments