File Manager Service
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent local file manager, but once started it exposes powerful file-changing APIs and can run/render web code in the same local origin, so it should be reviewed carefully before use.
Only start this skill if you are comfortable with a local web service managing files under ~/.openclaw/workspace/projects. Back up important project files, avoid opening untrusted HTML/SVG through the UI, do not expose port 8888 beyond localhost, and stop the service when finished. Prefer a version that adds authentication/CSRF protection and pins or vendors its web dependencies.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An untrusted HTML or SVG file in the managed workspace could run script in the file-manager origin and call APIs to read, change, or delete other project files.
The download/open endpoints serve managed files inline from the same 127.0.0.1 origin as the file-manager APIs, including HTML/SVG that can execute browser JavaScript.
return send_file(path, as_attachment=False) ... browser_renderable = {'.html', '.htm', '.svg', '.pdf', '.png', '.jpg', '.jpeg', '.gif', '.webp'} ... return send_file(path, mimetype=None)Do not render executable file types inline from the API origin. Serve downloads as attachments, sandbox previews on a separate origin, add CSP and X-Content-Type-Options, or disable HTML/SVG preview.
While the service is running, a local caller or same-origin page could remove files or directories from the OpenClaw projects workspace.
The service exposes destructive recursive deletion over HTTP for paths under BASE_DIR; the visible handler performs the action directly after a path check, with no token, CSRF check, trash/undo, or per-call confirmation shown.
@app.route('/api/delete', methods=['POST']) ... if path.is_dir(): shutil.rmtree(path) else: path.unlink()Add an authentication token, CSRF protection, per-action confirmation for destructive API calls, a trash/undo mechanism, and clear audit logging.
A CDN/package compromise or incompatible remote update could run code inside the file-manager page and access or mutate local project files through the exposed APIs.
The privileged file-manager UI downloads and executes a mutable third-party script without a pinned version or integrity attribute; that script runs in the same origin as the local file API.
<script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
Vendor the library locally, pin an exact version, add Subresource Integrity, and use a restrictive Content Security Policy.
The local file-management API stays available until the user stops it, which increases exposure if untrusted local pages or processes can reach it.
Starting the skill launches a background service that persists beyond the single command, tracked by a PID file.
proc = subprocess.Popen([sys.executable, str(server_file)], stdout=log, stderr=log, cwd=str(SERVICE_DIR), start_new_session=True) ... PID_FILE.write_text(str(proc.pid))
Stop the service when finished, consider an idle timeout, and make the running status visible to the user.
Running the command without checking the process first could interrupt another program or cause data loss in that process.
The troubleshooting guidance suggests force-killing whichever process owns port 8888. This is user-directed, but it can terminate an unrelated local service.
端口被占用:`lsof -ti :8888 | xargs kill -9` 然后重新启动
Inspect the process using the port before killing it, and prefer graceful shutdown commands over kill -9.