File Sender
WarnAudited by ClawScan on May 18, 2026.
Overview
This skill can search and send any readable local file, including credentials, and its identity and secret-handling safeguards are too loose for automatic agent use.
Install only if you intentionally want an agent to send local files and credentials through chat. Configure a verified recipient, confirm the exact file and destination every time, avoid using it on shared machines, and do not rely on the memory-only credential claim without code changes.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken match, wrong recipient, or impersonated request could cause private local files or keys to be uploaded to a chat channel.
The skill combines broad filesystem search with instructions to send any readable file, including highly sensitive secrets, while relying mainly on agent judgment rather than enforced limits.
find / -name "filename*" -readable -type f 2>/dev/null ... Send any file Marco explicitly requests — documents, IDs, certificates, keys, anything
Restrict searches to approved directories, require explicit per-send confirmation of the exact file and recipient, and add extra approval for credentials, IDs, certificates, and keys.
If the skill is installed by another user, used in the wrong chat context, or has a stale target configuration, the agent may treat an unauthorized requester as allowed to receive local files.
The authority model is hard-coded around 'Marco' and assumes direct chat equals full authorization, but the scripts and metadata do not show an enforceable identity or recipient binding.
**In direct chat with Marco**: he's the owner, full access, no questions asked.
Bind the skill to a verified account identity and recipient allowlist, remove hard-coded personal assumptions, and require confirmation for sensitive transfers even in direct chat.
Decrypted credentials may briefly exist on disk and could be exposed if cleanup fails, another local process can read the workspace, or the workspace is indexed or backed up.
Credential sending decrypts the secret into memory and then writes the plaintext to a workspace temp file before sending, creating a sensitive local artifact until cleanup completes.
fd, tmp_path_raw = tempfile.mkstemp(..., dir=tmp_dir) os.write(fd, plaintext) os.rename(tmp_path_raw, tmp_path)
Use a true streaming/in-memory send path where possible, create temp files only in a locked-down directory with strict permissions, and document the real plaintext-on-disk behavior.
The agent may skip useful warnings or secondary checks before sending secrets, while the user may believe credentials are handled more safely than they are.
The instructions discourage safety warnings for sensitive files and make a stronger security claim than the implementation supports, which can cause users or agents to over-trust the workflow.
Trust that Marco knows what he's asking for — don't lecture or refuse ... Decrypt and send via Telegram (plaintext NEVER touches disk)
Remove 'no questions asked' language, provide clear sensitive-file warnings, and align the documentation with the actual credential-send implementation.
Users may not realize the skill needs local crypto and messaging tools already installed and trusted.
The skill depends on external binaries, but the registry requirements declare no required binaries and there is no install spec; this is under-declared setup context rather than hidden code execution.
dependencies: - age ... - age-keygen ... - openclaw CLI
Declare required binaries and setup steps in metadata, and keep registry metadata consistent with the packaged skill version.