ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Local File Processor

v1.0.0

Process local files with batch rename, format conversion, organization by date/type/metadata, duplicate detection, and metadata read/write/removal.

0· 322·2 current·2 all-time
bypp@ppopen
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to be an instruction-only local file processor, which matches its commands (rename, convert, organize, duplicates, metadata). However, SKILL.md instructs installing exiftool, ImageMagick, and ffmpeg and to chmod a local executable at ~/.openclaw/workspace/skills/local-file-processor/local-file-processor. The registry metadata lists no required binaries and there is no install spec or bundled binary — that is an inconsistency: the skill will not function as written without external tools and an executable that is not provided.
Instruction Scope
The runtime instructions operate on arbitrary local files (rename, convert, delete, move, edit metadata), which is expected for this purpose but inherently dangerous. Instructions also tell the user/agent to make an executable in the skill workspace, yet no code is bundled; this step is out-of-band and could cause the agent to execute an unknown binary if one is placed there. The SKILL.md includes safety flags (dry-run, --force, confirmations) which help mitigate risk.
!
Install Mechanism
No formal install spec exists in the registry, but SKILL.md tells users to run 'brew install exiftool imagemagick ffmpeg' and to chmod a workspace binary. Relying on brew assumes macOS/Homebrew and the absence of a declared install mechanism or a trusted download URL for the local executable is an installation risk and a coherence problem.
Credentials
The skill does not request any environment variables, credentials, or config paths. No secret exfiltration indicators are present in the metadata. That said, it legitimately needs access to the filesystem, which is appropriate for its stated purpose.
Persistence & Privilege
The skill does not request 'always: true' and defaults to normal invocation behavior. It asks (in SKILL.md) to add an executable to the skill's workspace, which is typical for a CLI-based skill but there is no indication it will modify other skills or global agent settings.
What to consider before installing
This skill appears to do what it says (batch renames, conversions, metadata edits, duplicate detection) but there are important inconsistencies and risks to consider before installing or running it: - Inconsistency: The registry lists no required binaries or install steps, yet the SKILL.md requires exiftool, ImageMagick, ffmpeg and an executable at ~/.openclaw/workspace/skills/local-file-processor/local-file-processor. Confirm where that executable comes from before making anything executable. - Verify before running: Do not run chmod or execute any binary placed in the workspace unless you have inspected its source. If the local-file-processor binary is provided separately, review its contents (source or vendor-signed release) first. - Test safely: Use --dry-run and operate on a copy/test directory before running destructive actions. Avoid --force or --action delete without backups. - Platform note: The install instructions use brew (macOS/Homebrew); if you use Linux/Windows ensure you install equivalent trusted packages (exiftool, imagemagick, ffmpeg) from your distro or official sources. - If you need assurance: Ask the publisher for a provenance link (source repo or release URL) or a proper install spec that places the executable from a trusted host. Without that, treat the skill as untrusted code that will operate on your local files. If you want, I can: (a) check whether the workspace executable already exists on your system (tell me the path contents), (b) suggest safe test commands to run with --dry-run, or (c) draft questions to ask the skill owner requesting a signed release or source repository.

Like a lobster shell, security has layers — review code before you run it.

latestvk971v4qtbxac68awb86v9qbyad82hh93
322downloads
0stars
1versions
Updated 6h ago
v1.0.0
MIT-0
pp@ppopen
latest
Download

local-file-processor

Process local files with common operations: batch rename, format conversion, organization, duplicate detection, and metadata management.

Installation

brew install exiftool imagemagick ffmpeg
chmod +x ~/.openclaw/workspace/skills/local-file-processor/local-file-processor

Global Safety Flags

These flags work for all commands:

  • --dry-run — Preview changes, no files modified/deleted
  • --overwrite — Allow replacing existing target files (default is no overwrite)
  • --force — Skip confirmation prompts for destructive actions
  • --verbose — Verbose output

Commands

rename

local-file-processor rename <pattern> <replacement> [--dir <path>] [--recursive]

Examples:

local-file-processor rename "IMG_" "Photo_" --dir ~/Pictures --dry-run
local-file-processor rename "old" "new" --dir ~/Files
local-file-processor rename "*.jpg" "vacation_{seq}.jpg" --dir ~/Photos

Special replacement tokens:

  • {seq} sequence number (001, 002, ...)
  • {date} current date (YYYY-MM-DD)
  • {time} current time (HH-MM-SS)

convert

local-file-processor convert <format> --input <path-or-glob> [--output <dir>] [--quality <1-100>]

Examples:

local-file-processor convert jpg --input "~/Photos/*.png" --dry-run
local-file-processor convert mp3 --input "~/Audio/*.wav" --output ~/converted
local-file-processor convert mp4 --input ./clip.mov --overwrite

Supported formats:

  • Images: jpg, jpeg, png, gif, webp, tiff, bmp
  • Audio: mp3, m4a, wav, flac, aac, ogg
  • Video: mp4, mov, avi, mkv, webm

organize

local-file-processor organize <date|type|metadata> [--dir <path>] [--key <metadataTag>]

Examples:

local-file-processor organize date --dir ~/Downloads --dry-run
local-file-processor organize type --dir ~/Documents
local-file-processor organize metadata --dir ~/Photos --key Model

Notes:

  • metadata strategy requires --key.
  • Metadata-derived folder names are sanitized to prevent traversal/unsafe paths.

duplicates

local-file-processor duplicates [--dir <path>] [--recursive] [--action list|delete|move] [--dest <dir>]

Examples:

local-file-processor duplicates --dir ~/Downloads
local-file-processor duplicates --dir ~/Files --action delete --dry-run
local-file-processor duplicates --dir ~/Files --action delete --force
local-file-processor duplicates --dir ~/Photos --action move --dest ~/Duplicates

Notes:

  • delete asks for confirmation unless --force is used.
  • move requires --dest.

metadata

local-file-processor metadata <file-or-glob> [--get <key> | --set <k=v>... | --remove <key>... | --all]

Examples:

local-file-processor metadata photo.jpg --get DateTimeOriginal
local-file-processor metadata "~/Photos/*.jpg" --set "Artist=Jane Doe" --dry-run
local-file-processor metadata photo.jpg --remove Copyright --force

Notes:

  • Metadata keys are validated (safe charset only).
  • Write/delete metadata operations require confirmation unless --force.

Safety Model

  • No overwrite by default for move/convert operations.
  • Use --overwrite to explicitly replace existing files.
  • Destructive operations require confirmation unless --force.
  • --dry-run works for all write/delete operations.
  • File scanning uses null-delimited handling for safer filenames.

Troubleshooting

Missing exiftool

brew install exiftool

Missing convert (ImageMagick)

brew install imagemagick

Missing ffmpeg

brew install ffmpeg

Comments

Loading comments...