Security audit

File Manager Service

Security checks across malware telemetry and agentic risk

Overview

This is a real file manager for OpenClaw projects, but it exposes powerful file-changing APIs with under-scoped network and upload protections that users should review carefully.

Install only if you trust the local network environment and the files being managed. Before use, bind the server to 127.0.0.1, stop it when finished, avoid opening untrusted HTML/SVG through the UI, and prefer a fixed version that sanitizes upload filenames, validates final paths, self-hosts or pins browser dependencies, and adds authentication or request protection for write/delete actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill documents capabilities to read, write, delete, move, upload, and serve files over HTTP, plus start/stop a local service, yet the skill metadata shown in SKILL.md does not declare corresponding permissions. This weakens user consent and platform governance because a user may invoke a skill with materially broader access than the metadata suggests.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The page imports executable JavaScript from a third-party CDN (`marked.min.js`) without pinning integrity or serving it locally. In a file-management UI, this expands the trust boundary to the network and CDN supply chain; if the CDN response is tampered with, arbitrary script executes in the application's origin and can access file contents, API endpoints, and user actions.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: The documentation exposes destructive APIs for delete, move, save, and create operations without prominently warning about irreversible data loss or recommending confirmation, backup, or preview steps. In a file-management skill, this increases the chance of accidental misuse and unsafe automation, especially when combined with recursive directory handling and broad upload/edit support.

Missing User Warnings

Low

Confidence: 95% confidence
Finding: The upload endpoint saves arbitrary filenames directly with `base_path / file.filename` and does not sanitize or validate the supplied filename. If an attacker submits an absolute path, many Path join operations will ignore the base path and `file.save()` can write outside the intended workspace, enabling arbitrary file write on the host with the service's privileges.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal