Fabric Bridge
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: fabric-bridge Version: 1.0.0 The skill bundle is classified as suspicious due to its inherent capabilities to access and process arbitrary local files and external URLs via the `fabric-ai` CLI tool, as demonstrated in `SKILL.md`. While these are legitimate features of the wrapped tool, they present a significant risk surface. The skill instructs the agent to use commands like `fabric-ai -u <URL>` to fetch web content and `cat file.txt | fabric-ai` to read local files, which could be exploited by a malicious user prompt to access or exfiltrate sensitive data to external AI services.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The Fabric CLI may be able to use the user's configured AI provider account and incur usage or expose submitted prompts to that provider.
The skill explicitly requires configuring API keys for the external Fabric CLI. This is expected for an AI-provider integration, but it gives the CLI access to whichever provider account or quota the user configures.
First-time setup: run `fabric-ai -S` to configure API keys.
Use a dedicated or revocable API key where possible, confirm which provider is configured, and avoid submitting sensitive content unless that provider use is acceptable.
Updated community patterns may change how the CLI transforms, summarizes, or analyzes user-provided content.
Fabric patterns are described as reusable system prompts, and the skill recommends updating community patterns. That is central to Fabric usage, but it means prompt behavior can change based on external pattern updates.
Run `fabric-ai -U` periodically to get new community patterns.
Install and update Fabric from trusted sources, and review unfamiliar patterns before using them with sensitive or high-impact inputs.
Saved contexts, sessions, or custom prompts may affect later Fabric runs and could accidentally carry forward sensitive or misleading information.
The instructions document reusable contexts, sessions, and local custom system prompts. These are purpose-aligned Fabric features, but persistent or reusable context can influence future outputs if users store sensitive or untrusted content there.
Use context: `echo "input" | fabric-ai -p <pattern> -C my_context -s`; Session continuity: `echo "input" | fabric-ai -p <pattern> --session my_session -s`; Custom Patterns: `~/.config/fabric/patterns/<name>/system.md`.
Use named contexts and sessions intentionally, keep sensitive material out of reusable contexts unless needed, and review custom pattern files before relying on them.