moneyclaw-smart-file-organizer

Security checks across malware telemetry and agentic risk

Overview

This is a local file organizer with no network or credential behavior, but it can move or permanently delete many user files while its warnings and recovery controls are not strong enough.

Review before installing. Use only on test folders first, run preview mode before live changes, keep an independent backup, avoid sudo/admin execution, and do not enable duplicate deletion unless you have manually verified the files to remove.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 83% confidence
Finding: The skill advertises and invokes file read/write and shell-based script execution, but does not declare corresponding permissions or trust boundaries. This creates a transparency and consent problem: users or hosting platforms may authorize the skill without understanding that it can modify files or execute subprocesses, increasing the chance of unsafe use or privilege misuse.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 78% confidence
Finding: The documented purpose is file organization, but the described/observed behavior extends into config generation, automated test execution, report writing, subprocess-driven testing, and log-based undo/restore actions. This broader operational scope materially increases risk because it introduces execution and file-modification behaviors outside the user's likely expectations, making abuse or accidental damage more plausible.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The constructor expects stats and log state to exist, but due to the early return in _load_config, those attributes are never initialized. Later calls to self.stats or self.log can crash the program unpredictably, and because this tool performs filesystem operations, a mid-run crash can leave files partially moved, backed up, or deleted without a reliable summary.

Context-Inappropriate Capability

Medium

Confidence: 75% confidence
Finding: The error-testing logic intentionally probes hardcoded privileged or arbitrary paths such as /root and /nonexistent/path. While framed as testing, this can cause unsafe access attempts on host filesystems and is more dangerous in agent or sandboxed environments where the skill may run with broader-than-expected permissions.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README includes commands that perform real file organization and renaming immediately after the preview example, but it does not clearly warn users to prefer preview and backup before any destructive operation. In a file-management skill, moving and renaming files can cause data loss, broken references, or difficult recovery if users run the non-preview commands directly.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation presents duplicate-file deletion and movement operations as routine commands without a prominent warning that deletion may be irreversible or that duplicate detection can misclassify files. In a file-management skill, encouraging direct destructive actions without strong cautions, confirmation steps, or recovery guidance raises the likelihood of accidental data loss.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The bulk cleanup example for project files describes pattern-based cleanup but does not warn that wildcard matches may remove important files or alter build/debug artifacts unexpectedly. Because this is recursive-style file maintenance in developer directories, an overly broad pattern can quickly cause widespread and hard-to-reverse loss.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: When deduplication is enabled and the configured action is delete, the script permanently removes files immediately with item.unlink() and no explicit confirmation, recycle-bin behavior, or transaction safety. In a file-organizing skill, this is especially dangerous because users may run it over large directories and a false duplicate decision or unexpected config can cause irreversible data loss at scale.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal