Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OneDrive Integration
v0.1.0Copy large/long files to OneDrive for sharing when the user is on Telegram or WhatsApp and wants to view a full document or long file. Use to place files int...
⭐ 0· 558·2 current·2 all-time
byZhihao@moodykong
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill's name/description (copy local files to OneDrive for sharing) aligns with the included scripts which locate a local OneDrive root and copy files there. Minor mismatch: registry metadata lists no required environment variables, but the skill expects a machine-local config.env with ONEDRIVE_ROOT (required) and ONEDRIVE_SUBDIR (optional). This is a packaging/metadata omission rather than a functional mismatch.
Instruction Scope
SKILL.md and scripts limit actions to discovering a OneDrive folder (under /mnt/c/Users/*/OneDrive*), writing a local config.env, and copying specified file paths into a destination directory. That stays within the stated purpose. Important privacy note: copying files into the OneDrive folder causes them to be synced to the cloud by the user's OneDrive client — sensitive files could be uploaded unintentionally. The instructions do not attempt to read unrelated system secrets or contact external services directly.
Install Mechanism
No install spec; the skill is instruction-only with two small scripts bundled. This is low risk — nothing is downloaded from external URLs or installed automatically. Onboarding offers an interactive shell script (onboard.sh) that the user would run manually; it does not silently fetch remote code.
Credentials
The skill does not request cloud credentials or external API keys (good). It relies on a local config.env (ONEDRIVE_ROOT required). The registry metadata did not declare this required config, so users or automated validators might miss that a local path must be set. The included example config contains a concrete absolute path (user-specific) — benign but worth noting.
Persistence & Privilege
The skill is not marked always:true and does not request elevated privileges or modify other skills. It keeps its canonical script inside its skill folder; optional symlinking to PATH is left to the user. Allowing autonomous invocation is the platform default and is not by itself a red flag here.
Assessment
This skill is internally coherent and the scripts are small and readable, but review the following before installing/using: (1) Understand that files you copy will land in your OneDrive folder and will be synced to Microsoft cloud — do not copy sensitive data you don't want uploaded. (2) The skill requires a local config file (config.env with ONEDRIVE_ROOT) though the registry metadata doesn't declare it; confirm ONEDRIVE_ROOT points to the correct OneDrive folder on your machine. (3) Inspect the bundled scripts (copy_to_onedrive.py and onboard.sh) — they only touch local paths and do not contact external endpoints, but you should run onboard.sh interactively (it will list /mnt/c/Users/*/OneDrive* and prompt) rather than running it blindly. (4) Prefer invoking the script manually or via explicit user approval; avoid globally symlinking into PATH unless you trust the skill and want that convenience. If you want higher assurance, run the scripts in a controlled environment or test with non-sensitive files first.Like a lobster shell, security has layers — review code before you run it.
latestvk97dk9dnfz6ved0a4q2vd2j3n581nq5k
License
MIT-0
Free to use, modify, and redistribute. No attribution required.