ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

File Diff

v1.0.0

Compare two files and display their differences in a human-readable markdown format. Use when asked to "compare files", "show diff", "compare differences", "...

0· 12·0 current·0 all-time
bySuper 9°@super9du
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The script and SKILL.md both describe running the system 'diff -u' command and formatting its output to markdown — this aligns with the skill name and description. However, the package metadata declares no required binaries while the code invokes the external 'diff' binary via subprocess, so the manifest is incomplete/inconsistent.
Instruction Scope
Instructions and the bundled script only describe running diff on two files, parsing the unified diff output, and producing markdown. There are no instructions to read unrelated system state, call external endpoints, or access environment variables. Note: because the tool reads arbitrary file paths provided to it, it can reveal the contents of any files the agent is permitted to access (including secrets) in the diff output.
Install Mechanism
There is no install spec (instruction-only) and the repository contains a small helper script. Nothing is downloaded from external URLs or installed on the system by the skill itself, which is a low-install-risk configuration. The helper delegates to the system 'diff' binary.
Credentials
The skill requests no environment variables, credentials, or config paths and the code does not read env vars. This is proportionate to the stated purpose.
Persistence & Privilege
The skill is not marked 'always' and does not request elevated persistence. Model invocation is allowed (platform default) but there is no evidence the skill attempts to modify agent-wide settings or other skills.
What to consider before installing
This skill appears to do what it says: run 'diff -u' on two files and format the output as markdown. Before installing, consider the following: (1) Metadata omits the external dependency: the bundled script calls the system 'diff' command — ensure 'diff' is available and trustworthy on your host. (2) The skill will output the contents of any files you ask it to compare; avoid giving it paths that contain secrets (keys, passwords, tokens) or run it in a sandbox. (3) The source and homepage are unknown — prefer skills from known publishers or review the code yourself. (4) If you plan to use this in an automated agent, ensure the agent is constrained so it cannot be instructed to diff sensitive system files. If you trust the code and your environment, this is low-risk; otherwise exercise caution or request a version with declared dependency metadata and an auditable source.

Like a lobster shell, security has layers — review code before you run it.

latestvk97btp68ng6jx8nwz0jfb53ky184hage

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments