file-browser

ReviewAudited by ClawScan on May 10, 2026.

Overview

This is mostly a read-only workspace file browser, but its path and output handling could let workspace symlinks or crafted file contents escape the intended safety boundary.

Install only if you are comfortable with the agent reading files in the workspace. Before use, the author should harden path containment against symlinks and properly escape JSON output so local file contents cannot confuse the tool response.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

A file or symlink inside the workspace could cause the agent to read data outside the intended workspace, and crafted file contents could break or manipulate the tool's JSON output.

Why it was flagged

The script enforces the workspace boundary only with string checks and then reads the resulting path. It does not canonicalize the path or reject symlinks, so a symlink inside the workspace could point outside it. It also embeds raw file content directly into JSON without escaping.

Skill content

FULL_PATH="$WORKSPACE/$REL_PATH"
if [[ "$REL_PATH" == *'..'* || "$REL_PATH" == '/'* ]]; then ...
CONTENT=$(head -c 10240 "$FULL_PATH" | tr -d '\0')
echo "{\"success\": true, \"data\": \"$CONTENT\"}"

Recommendation

Resolve paths with realpath/readlink, verify the canonical path stays under the workspace, reject or explicitly handle symlinks, and use a proper JSON encoder such as jq or Python json.dumps for file names and file contents.