ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

file-browser

Read-only file browsing and reading in the OpenClaw workspace (/home/alfred/.openclaw/workspace). Use for listing directories or reading text files (up to 10...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 429 · 11 current installs · 11 all-time installs
by@Nagilem
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md, and included scripts align: the skill only lists and reads files under /home/alfred/.openclaw/workspace and declares no extra dependencies or credentials.
!
Instruction Scope
SKILL.md restricts to relative paths and read-only operations and the scripts generally enforce these checks, but the scripts do not prevent symlink traversal (a workspace-file that is a symlink can point outside the workspace) and they emit JSON by interpolating raw filenames/file contents without escaping, which can break parsing or enable JSON injection. There is no handling for filenames containing quotes, newlines, or other special characters.
Install Mechanism
No install spec; instruction-only with two small scripts. No external downloads or package installs are performed.
Credentials
No environment variables, credentials, or config paths are requested. This is proportionate to a read-only file browser.
Persistence & Privilege
Skill is not always-enabled and uses normal invocation. It does not request elevated or persistent privileges.
What to consider before installing
This skill generally does what it says, but do not install blindly: the scripts allow symlink traversal (a file inside the workspace that is a symlink could let the skill read files outside the workspace) and build JSON by directly embedding filenames and file contents without proper escaping (filenames or file contents with quotes/newlines/backslashes can corrupt JSON or be abused). Recommended mitigations before use: 1) resolve and verify the absolute path (e.g., realpath or readlink -f) and ensure it has the workspace prefix to block symlink/outside reads; 2) refuse to follow symlinks or explicitly check for and reject symlinks if you want strict confinement; 3) produce JSON safely (use a JSON encoder such as jq, Python's json.dumps, or printf with proper escaping) rather than interpolating raw data; 4) harden filename handling (handle newlines and quotes, or return names via null-separated output); and 5) validate parsed JSON before using results. If you cannot patch the scripts, consider running the skill in a restricted environment or rejecting it. Confidence is medium — code is small and readable, but the above issues are real and should be fixed before trusting the skill with sensitive workspace contents.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9783ek4ktzjkz9by1y0v8cgvn82mdma

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

File Browser Skill

Quick Start

Resolve all paths relative to WORKSPACE=/home/alfred/.openclaw/workspace. Sanitize inputs to prevent escapes or absolutes.

  • To list directory: exec("scripts/list_files.sh", [rel_path]) → JSON {success: bool, data: array of names, error: string}
  • To read file: exec("scripts/read_file.sh", [rel_path]) → JSON {success: bool, data: string (text content), error: string}
  • Handle errors: For binary/large/non-text files, return error JSON.

Step-by-Step Workflow

  1. Parse user query for action (list/read) and relative path.
  2. Call appropriate script with sanitized rel_path.
  3. Parse JSON output; respond to user with results or error message.
  4. If path invalid or outside workspace, reject immediately.

Safety Guidelines

  • Enforce read-only: No writes, deletes, or exec beyond scripts.
  • Log accesses if verbose mode enabled.
  • For large files (>10k chars), truncate or summarize.

Edge Cases

  • Empty path: Default to "." (workspace root).
  • Binary file: Return error "Non-text file".
  • See references/examples.md for more (if added).

Bundled Resources

  • scripts/list_files.sh: Bash wrapper for ls.
  • scripts/read_file.sh: Bash wrapper for cat with limits.

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…