Local File Manager
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is a plausible local file manager, but its implementation can let crafted inputs run shell commands or bypass the claimed working-directory sandbox.
Do not install this version unless you are comfortable reviewing and fixing the implementation. At minimum, it should avoid shell string execution, enforce a real cwd boundary, use package-relative paths, and add real confirmation for delete/overwrite operations.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted filename, pattern, content string, or working-directory value could cause arbitrary shell commands to run as the user, bypassing the intended local-file-only behavior.
User-controlled fields such as path, content, pattern, action, and cwd are interpolated into a shell command without escaping or an argument array.
if (content) args.push("--content", content); ... await execAsync(`CWD="${cwd}" "${scriptPath}" ${args.join(" ")}`, { ... })Replace exec with execFile/spawn using an argument array, validate the action against an allowlist, pass large content through stdin or a safe temporary file, and avoid shell interpretation entirely.
The agent may be able to read, overwrite, or delete files outside the session working directory despite the documented sandbox, for example through path-normalization edge cases or symlinks.
The path guard only strips one leading slash and rejects the substring '..'; it does not canonicalize paths or verify the resolved path remains inside cwd before read, write, or delete operations.
p="${p#/}"; if [[ "$p" == *".."* ]]; then ...; echo "$p" ... cat "$FILE" ... printf "%s" "$CONTENT" > "$FILE" ... rm "$FILE"Use realpath/canonicalization and enforce that every resolved target is under the intended cwd; reject absolute paths after normalization; consider disallowing symlink traversal for destructive operations.
On some systems the skill may fail; on others it could execute a local file outside the reviewed package if that hard-coded path exists or is replaced.
The runtime entry point uses a hard-coded absolute path rather than the packaged script location, creating a provenance gap between reviewed code and what may actually execute.
const scriptPath = "/Users/nico/.openclaw/workspace/skills/local-file-manager/scripts/file_manager.sh";
Use a package-relative script path, remove stale or conflicting metadata, and declare a clear install/runtime entry point so the executed code is the reviewed code.
Users may believe destructive or large-file operations have stronger safeguards than the reviewed implementation actually provides.
The documentation promises confirmation and size-limit safety controls, but the provided shell script directly removes files and does not implement the stated max-file-size check.
**Delete file**: Remove a file (with safety checks) ... # Delete file (with confirmation) ... **Size limit**: Max file size 10MB (configurable)
Update the documentation to match actual behavior, or implement explicit confirmation, default dry-run for deletion/overwrite, and enforced file-size limits.