Security audit

Local File Manager

Security checks across malware telemetry and agentic risk

Overview

This local file manager has a coherent purpose, but its implementation can turn user-controlled file arguments into shell commands and can delete or write files without the safety guarantees it advertises.

Review carefully before installing. Use only in a disposable workspace unless the maintainer replaces shell-string execution with scoped filesystem APIs, removes the hardcoded local script path, aligns the manifest with the packaged files, confines logging and file access to the declared workspace, and adds explicit confirmation for destructive actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (13)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The skill metadata says it safely reads, writes, appends, and lists files in the session working directory, but the body also documents mkdir, delete, copy, and move operations. This mismatch expands the apparent authority of the skill beyond what a caller may expect, increasing the chance that an agent or reviewer enables it under incomplete assumptions and permits destructive filesystem actions.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The Safety section claims the tool is sandboxed to cwd, but the examples and log path show access to /var/log and ~/.openclaw/logs, which are outside the working directory. That contradiction undermines the core safety claim and suggests the implementation or operator expectations may permit out-of-scope reads/writes, enabling data leakage or unauthorized modification of host files.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The manifest positions the skill as operating within the session working directory, but the documentation later includes absolute and home-directory paths outside that scope. A mismatch between declared scope and documented behavior is dangerous because security decisions may be made based on the narrower manifest while the actual tool behavior reaches broader parts of the filesystem.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill's declared behavior is limited to safe file I/O in the working directory, but the implementation exposes additional mkdir/delete operations and delegates execution to an external shell script. This mismatch weakens trust boundaries, obscures the true attack surface, and can enable destructive filesystem actions beyond what users and reviewers would reasonably expect.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Using child_process for routine file management introduces an unnecessary command-execution surface, especially when later combined with user-controlled arguments. Even if the shell script is intended only for file operations, this design allows shell metacharacter injection and expands the blast radius from file I/O to arbitrary command execution.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The code claims safe file I/O within cwd, but constructs a shell command string using interpolated values from input and context: action, path, dir, content, pattern, and cwd. Because these values are concatenated without robust escaping, an attacker can inject shell syntax or break argument boundaries, leading to arbitrary command execution or access outside the intended working directory.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The documented capability boundary says the skill is for reading, writing, appending, and listing files in the working directory, but the script also supports mkdir and delete. This mismatch is security-relevant because agents and reviewers may grant or invoke the skill under a narrower trust model than the code actually implements, enabling unexpected destructive actions.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The log function writes to ${FILE_MANAGER_LOG:-$HOME/.openclaw/logs/file-manager.log}, which is outside the session working directory promised by the skill description. That expands the skill's write scope beyond its declared boundary and can create or modify files in the user's home directory, violating least privilege and potentially leaking filenames or content metadata to a persistent location.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The manifest advertises capabilities beyond the stated skill purpose: it includes search, move, and delete-style filesystem management while the declared use case is limited to read, write, append, and list within the workspace. This mismatch can mislead reviewers and users about the true power of the skill, increasing the risk of unsafe invocation or overbroad trust in a component that can modify or remove data.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: Granting delete access across the entire workspace is broader than the stated purpose and introduces a destructive capability that could erase user data, intermediate artifacts, or audit-relevant files. In this context, the danger is elevated because the skill is presented as a safe local file manager for persistence tasks, so consumers may not expect that it can perform irreversible deletion.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill advertises overwrite and delete operations without clearly warning about irreversible data loss. In an agent setting, insufficient warning around destructive operations can cause accidental file destruction because the tool appears routine and safe while exposing mutating actions that may be invoked automatically.

Natural-Language Policy Violations

Medium

Confidence: 90% confidence
Finding: The documentation contains inconsistent statements about path scope, claiming local cwd safety while elsewhere demonstrating or configuring paths outside that boundary. Ambiguous security boundaries are dangerous because users and agent policies may rely on the safer interpretation and inadvertently authorize broader filesystem access.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The delete action performs irreversible file removal with only a hidden-file check and no explicit confirmation, force flag, recycle-bin behavior, or user-facing warning. In an agent setting, where arguments may be inferred from prompts or chained tool outputs, this increases the risk of accidental destructive operations within the working directory.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.