ClawHub
Back to skill

Security audit

ftp-client-zc

Security checks across malware telemetry and agentic risk

Overview

This is a real FTP client skill, but it needs review because it can use stored credentials to modify or delete remote files over plaintext FTP without the safety controls its documentation claims.

Review carefully before installing. Use only FTP credentials you intend this skill to access, remove or ignore the bundled creds.json, avoid using it on important servers until confirmation and path controls are added, and prefer FTPS/SFTP or a trusted network because this code sends credentials and file contents over plaintext FTP.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code retrieves FTP credentials from a secret store by spawning a subprocess and falls back to a local creds.json file, with no validation, audit trail, or user consent. In a skill context, this is dangerous because it gives the code the ability to silently access stored secrets and use them for outbound network operations, expanding the risk of credential misuse or exfiltration.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script automatically retrieves stored FTP credentials from a secret store or local file and uses them without explicit user confirmation, making destructive remote actions possible with little visibility. In this file, that behavior is paired with delete operations over plain FTP, so accidental execution, misuse by another local user/process, or compromise of the host can lead directly to unauthorized file or directory deletion on the remote server.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The skill silently retrieves stored FTP credentials from either an external secret store or a local creds.json file without explicit user disclosure or consent at runtime. In an agent-skill context, undeclared access to stored secrets is sensitive because users may trigger network authentication with credentials they did not intend to expose or use, increasing the risk of unauthorized account use and surprise secret handling.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The function recursively creates directories and downloads remote content to arbitrary local paths with no warning, path restrictions, or validation of remote item names. In practice, a malicious or compromised FTP server could cause unexpected filesystem writes, and crafted names containing traversal semantics could potentially escape the intended destination depending on platform/path handling.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill silently retrieves credentials from an external secret manager or a local credential file without notifying the user. Even if intended for convenience, undisclosed secret access in an agent skill is risky because users may not realize the skill is reading sensitive local or platform-managed credentials and preparing them for network use.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The FTP connection is established with secure: false, which means credentials and data are sent over plaintext FTP. This allows interception of usernames and passwords in transit and makes the listing operation susceptible to man-in-the-middle observation or tampering on untrusted networks.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script explicitly connects with `secure: false`, meaning it uses plaintext FTP. FTP sends credentials and commands without transport encryption, allowing network attackers to intercept usernames and passwords and potentially manipulate or observe file operations such as renames.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script explicitly connects with `secure: false`, which causes both FTP credentials and uploaded file contents to be transmitted in cleartext. An attacker on the network path can intercept credentials, read sensitive uploads, or modify traffic via man-in-the-middle attacks; the lack of any warning increases the chance users will expose secrets unknowingly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal