ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

file-browser

v1.0.0

Read-only file browsing and reading in the OpenClaw workspace (/home/alfred/.openclaw/workspace). Use for listing directories or reading text files (up to 10...

0· 1.4k·14 current·14 all-time
by@nagilem

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for nagilem/file-browser.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "file-browser" (nagilem/file-browser) from ClawHub.
Skill page: https://clawhub.ai/nagilem/file-browser
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install file-browser

ClawHub CLI

Package manager switcher

npx clawhub@latest install file-browser
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md, and included scripts align: the skill only lists and reads files under /home/alfred/.openclaw/workspace and declares no extra dependencies or credentials.
!
Instruction Scope
SKILL.md restricts to relative paths and read-only operations and the scripts generally enforce these checks, but the scripts do not prevent symlink traversal (a workspace-file that is a symlink can point outside the workspace) and they emit JSON by interpolating raw filenames/file contents without escaping, which can break parsing or enable JSON injection. There is no handling for filenames containing quotes, newlines, or other special characters.
Install Mechanism
No install spec; instruction-only with two small scripts. No external downloads or package installs are performed.
Credentials
No environment variables, credentials, or config paths are requested. This is proportionate to a read-only file browser.
Persistence & Privilege
Skill is not always-enabled and uses normal invocation. It does not request elevated or persistent privileges.
What to consider before installing
This skill generally does what it says, but do not install blindly: the scripts allow symlink traversal (a file inside the workspace that is a symlink could let the skill read files outside the workspace) and build JSON by directly embedding filenames and file contents without proper escaping (filenames or file contents with quotes/newlines/backslashes can corrupt JSON or be abused). Recommended mitigations before use: 1) resolve and verify the absolute path (e.g., realpath or readlink -f) and ensure it has the workspace prefix to block symlink/outside reads; 2) refuse to follow symlinks or explicitly check for and reject symlinks if you want strict confinement; 3) produce JSON safely (use a JSON encoder such as jq, Python's json.dumps, or printf with proper escaping) rather than interpolating raw data; 4) harden filename handling (handle newlines and quotes, or return names via null-separated output); and 5) validate parsed JSON before using results. If you cannot patch the scripts, consider running the skill in a restricted environment or rejecting it. Confidence is medium — code is small and readable, but the above issues are real and should be fixed before trusting the skill with sensitive workspace contents.

Like a lobster shell, security has layers — review code before you run it.

latestvk9783ek4ktzjkz9by1y0v8cgvn82mdma
1.4kdownloads
0stars
1versions
Updated 16h ago
v1.0.0
MIT-0
@nagilem
latest
Download

File Browser Skill

Quick Start

Resolve all paths relative to WORKSPACE=/home/alfred/.openclaw/workspace. Sanitize inputs to prevent escapes or absolutes.

  • To list directory: exec("scripts/list_files.sh", [rel_path]) → JSON {success: bool, data: array of names, error: string}
  • To read file: exec("scripts/read_file.sh", [rel_path]) → JSON {success: bool, data: string (text content), error: string}
  • Handle errors: For binary/large/non-text files, return error JSON.

Step-by-Step Workflow

  1. Parse user query for action (list/read) and relative path.
  2. Call appropriate script with sanitized rel_path.
  3. Parse JSON output; respond to user with results or error message.
  4. If path invalid or outside workspace, reject immediately.

Safety Guidelines

  • Enforce read-only: No writes, deletes, or exec beyond scripts.
  • Log accesses if verbose mode enabled.
  • For large files (>10k chars), truncate or summarize.

Edge Cases

  • Empty path: Default to "." (workspace root).
  • Binary file: Return error "Non-text file".
  • See references/examples.md for more (if added).

Bundled Resources

  • scripts/list_files.sh: Bash wrapper for ls.
  • scripts/read_file.sh: Bash wrapper for cat with limits.

Comments

Loading comments...