ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Exfat Recovery

v1.0.0

Recover corrupted exFAT USB drives on Windows without formatting. Diagnose boot region corruption, repair with chkdsk or TestDisk, and prevent future corrupt...

0· 105·0 current·0 all-time
bySolomon Neas@solomonneas

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for solomonneas/exfat-recovery.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Exfat Recovery" (solomonneas/exfat-recovery) from ClawHub.
Skill page: https://clawhub.ai/solomonneas/exfat-recovery
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install exfat-recovery

ClawHub CLI

Package manager switcher

npx clawhub@latest install exfat-recovery
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill claims to diagnose and repair exFAT boot-region corruption and to provide prevention scripts. The SKILL.md and included references provide PowerShell diagnostic commands, chkdsk usage, TestDisk guidance, and scripts to back up/restore boot region and register shutdown/scheduled tasks — all directly relevant to the described purpose.
Instruction Scope
Instructions include running commands as Administrator, reading from and writing raw disk devices (e.g. \\.\PhysicalDriveN), invoking chkdsk, and modifying Group Policy/registry keys. Those actions are necessary for boot-region backup/restore and prevention, but they are high-impact and must be executed carefully (wrong disk/offset will corrupt other volumes). The skill does not explicitly state the required Administrator privilege level, which is an important practical detail.
Install Mechanism
This is instruction-only (no install spec, no code to fetch). The only external tool recommended is TestDisk with a link to the official site (cgsecurity.org). No remote downloads or archives are automatically fetched by the skill itself.
Credentials
The skill declares no required environment variables or credentials, which is appropriate. However, the runtime actions require Administrator access and write access to raw device paths and HKLM registry keys. Those privileges are proportional to the prevention (scheduled task as SYSTEM, Group Policy changes) but are high privilege and not explicitly documented as required in the metadata.
!
Persistence & Privilege
The prevention workflow instructs creating a scheduled task that runs as SYSTEM and registering a Group Policy shutdown script via HKLM — both create persistent, high-privilege system changes. While these are coherent with the prevention goals, they increase attack surface and should only be applied by a knowledgeable administrator after verifying disk identifiers and script contents.
Assessment
This skill appears to do what it says, but it performs high-impact, privileged operations. Before using it: (1) Understand that you must run commands as Administrator and be extremely careful selecting the correct PhysicalDrive number and partition offset — writing to the wrong device will irreversibly damage data. (2) Back up any critical data (or work on a disk image) before attempting writes or restores. (3) Only download TestDisk from the official site linked in the instructions. (4) Review the scheduled-task and Group Policy changes; creating tasks that run as SYSTEM or adding shutdown scripts changes system behavior and should be applied intentionally. (5) If you are unsure, seek help from an experienced sysadmin or data-recovery professional rather than running raw-disk write operations yourself.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c299gxdbdb269s4wme33brx838w7e
105downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
Solomon Neas@solomonneas
latest
Download

exFAT Recovery — Fix "Needs to be Formatted" Without Losing Data

When Windows says your external drive "needs to be formatted," your data is almost always fine. The exFAT boot region got corrupted (usually from write caching + unexpected shutdown). This skill walks through diagnosis, repair, and prevention.

When to Use

  • External USB drive suddenly says "needs to be formatted"
  • Drive shows in Disk Management but filesystem is blank
  • chkdsk reports "Corruption was found while examining the boot region"
  • Any exFAT drive that won't mount after a crash or reboot

Diagnosis

Step 1: Confirm the drive is recognized

Get-Disk | Format-Table Number, FriendlyName, Size, PartitionStyle, OperationalStatus, HealthStatus -AutoSize

If HealthStatus: Healthy and OperationalStatus: Online, the hardware is fine. If not, you have a hardware problem (different fix).

Step 2: Check the partition exists

Get-Partition -DriveLetter H | Format-Table PartitionNumber, DriveLetter, Size, Type -AutoSize

Partition visible = partition table intact. Good sign.

Step 3: Check filesystem status

Get-Volume -DriveLetter H | Format-List DriveLetter, FileSystem, Size, SizeRemaining, HealthStatus

If FileSystem is blank and Size is 0, the filesystem metadata is corrupted but the partition is there.

Step 4: Read-only chkdsk to confirm

chkdsk H:

Look for: Corruption was found while examining the boot region. This confirms it's fixable.

Recovery

Option 1: chkdsk /F (try this first)

Run as Administrator:

chkdsk H: /F

Repairs the exFAT boot region from the backup copy (exFAT stores backup boot sectors at sectors 12-23). For an 8TB drive with ~140K files, takes a few minutes.

Verify after:

Get-Volume -DriveLetter H
Get-ChildItem H:\ | Select-Object Name | Format-Table -AutoSize

Option 2: TestDisk (if chkdsk fails)

  1. Download from https://www.cgsecurity.org/wiki/TestDisk
  2. Run testdisk_win.exe as Administrator
  3. Select physical disk → GPT → Advanced → Boot
  4. TestDisk rebuilds the boot sector from the backup copy

Option 3: Data recovery tools (last resort)

If the filesystem is unrecoverable:

  • R-Studio (paid, best for exFAT) — recovers directory structure
  • PhotoRec (free) — recovers files by type, loses filenames
  • DMDE (free tier) — good at exFAT reconstruction

Prevention

1. Disable write caching (most important)

Write caching is the #1 cause of exFAT corruption on external drives.

Device Manager method:

  1. Device Manager → Disk drives → your external drive
  2. Properties → Policies tab
  3. Select "Quick removal" (disables write cache)

PowerShell (scriptable):

# Adjust Ven_ and Prod_ to match your drive
$devPath = "HKLM:\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_Samsung&Prod_PSSD_T5_EVO"
$instances = Get-ChildItem $devPath
foreach ($inst in $instances) {
    $diskParamPath = Join-Path $inst.PSPath "Device Parameters\Disk"
    if (Test-Path $diskParamPath) {
        Set-ItemProperty -Path $diskParamPath -Name "UserWriteCacheSetting" -Value 0 -Type DWord
    }
}

2. Shutdown flush script

Insurance even with write caching disabled. Use scripts/safe-shutdown.ps1 and register it as a Group Policy shutdown script. See references/prevention-scripts.md for the full setup.

3. Weekly boot region backup

Use scripts/backup-boot-region.ps1 to save a copy of the exFAT boot region every week. If corruption happens again, restore from backup instead of hoping chkdsk works.

4. Restore from backup

# Run as Admin - writes raw bytes to disk
$disk = "\\.\PhysicalDrive3"  # adjust
$offset = 16777216             # partition offset in bytes
$backupFile = "C:\path\to\exfat_boot_region_YYYYMMDD.bin"

$buf = [System.IO.File]::ReadAllBytes($backupFile)
$fs = [System.IO.File]::Open($disk, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Write, [System.IO.FileShare]::ReadWrite)
[void]$fs.Seek($offset, [System.IO.SeekOrigin]::Begin)
$fs.Write($buf, 0, $buf.Length)
$fs.Flush()
$fs.Close()
# Then: chkdsk H: /F

Key Facts

  • "Needs to be formatted" almost always means corrupted metadata, NOT lost data
  • exFAT doesn't journal like NTFS, so it's fragile on unexpected shutdowns
  • exFAT keeps a backup boot region at sectors 12-23 of the partition
  • chkdsk /F fixes most cases by restoring from this backup
  • Write caching on external drives is the #1 cause. Disable it.
  • DO NOT format the drive. That actually destroys the data.

Root Cause

exFAT has no journaling. When Windows has write caching enabled for an external drive and the system reboots (crash, update, power loss), dirty cached writes never flush. The boot region (filesystem's "table of contents") gets partially written and becomes unreadable. The actual file data on disk is untouched.

Comments

Loading comments...