Olares Files (olares-cli files)
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a disclosed Olares file-management helper, but it can modify, delete, and share account files while relying on unreviewed external login/profile instructions and under-declared prerequisites.
Review the referenced olares-shared dependency and verify the trusted source of olares-cli before installing. If you use this skill, confirm the active Olares profile and require explicit approval before deleting, moving, renaming, sharing, or modifying Sync repositories.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may follow unreviewed external instructions when choosing an account profile or handling login errors before performing file operations.
The skill depends on a separate shared instruction file for authentication/profile behavior, but the provided manifest contains only SKILL.md, so those rules cannot be reviewed here.
CRITICAL — before doing anything, MUST use the Read tool to read [`../olares-shared/SKILL.md`](../olares-shared/SKILL.md) for the profile selection, login, and HTTP 401/403 recovery rules
Review the referenced olares-shared skill before use, and only install this skill together with a trusted, matching shared dependency.
Installation metadata may not fully tell users what local tool must be present for the skill to work.
The skill itself says it needs the olares-cli binary, while the registry requirements section says no required binaries are declared.
metadata:\n requires:\n bins: ["olares-cli"]\n cliHelp: "olares-cli files --help"
Confirm that olares-cli is installed from a trusted source before using the skill.
Commands may act with the privileges of the selected Olares account and can affect that account’s files and shares.
The skill operates against a per-user backend and requires authenticated account access, which is expected but sensitive.
requires-oauth-token; requires-sensitive-credentials
Use the least-privileged profile available and verify the selected account before running mutating commands.
A mistaken command could delete, move, copy, or publicly share remote files or modify Sync repositories.
The skill clearly documents powerful file and repository operations, including deletion and sharing; these are purpose-aligned but high impact.
list (ls), upload, download, cat, rm, cp, mv, rename (rn), share (internal / public / smb), and Sync-repo CRUD
Require clear user intent and explicit confirmation for delete, move, share, SMB, public-link, and repository-changing operations.