ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

file-browser

v1.0.0

Read-only file browsing and reading in the OpenClaw workspace (/home/alfred/.openclaw/workspace). Use for listing directories or reading text files (up to 10...

0· 917·13 current·13 all-time
by@nagilem
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md, and included scripts align: the skill only lists and reads files under /home/alfred/.openclaw/workspace and declares no extra dependencies or credentials.
!
Instruction Scope
SKILL.md restricts to relative paths and read-only operations and the scripts generally enforce these checks, but the scripts do not prevent symlink traversal (a workspace-file that is a symlink can point outside the workspace) and they emit JSON by interpolating raw filenames/file contents without escaping, which can break parsing or enable JSON injection. There is no handling for filenames containing quotes, newlines, or other special characters.
Install Mechanism
No install spec; instruction-only with two small scripts. No external downloads or package installs are performed.
Credentials
No environment variables, credentials, or config paths are requested. This is proportionate to a read-only file browser.
Persistence & Privilege
Skill is not always-enabled and uses normal invocation. It does not request elevated or persistent privileges.
What to consider before installing
This skill generally does what it says, but do not install blindly: the scripts allow symlink traversal (a file inside the workspace that is a symlink could let the skill read files outside the workspace) and build JSON by directly embedding filenames and file contents without proper escaping (filenames or file contents with quotes/newlines/backslashes can corrupt JSON or be abused). Recommended mitigations before use: 1) resolve and verify the absolute path (e.g., realpath or readlink -f) and ensure it has the workspace prefix to block symlink/outside reads; 2) refuse to follow symlinks or explicitly check for and reject symlinks if you want strict confinement; 3) produce JSON safely (use a JSON encoder such as jq, Python's json.dumps, or printf with proper escaping) rather than interpolating raw data; 4) harden filename handling (handle newlines and quotes, or return names via null-separated output); and 5) validate parsed JSON before using results. If you cannot patch the scripts, consider running the skill in a restricted environment or rejecting it. Confidence is medium — code is small and readable, but the above issues are real and should be fixed before trusting the skill with sensitive workspace contents.

Like a lobster shell, security has layers — review code before you run it.

latestvk9783ek4ktzjkz9by1y0v8cgvn82mdma

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments