ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

file share to filebin.net

v1.0.2

Upload local files to filebin.net for quick sharing. Use when the user asks to upload a file, share a file via link, host a file, or says "upload to filebin"...

0· 14·0 current·0 all-time
byJay@goog
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name and description align with the instructions (upload to filebin.net). However the SKILL.md directs the agent to locate files in ~/.openclaw/workspace, while the declared metadata lists no required config paths or file access. That mismatch (metadata says 'none' but instructions require reading a user filesystem location) is incoherent and noteworthy.
!
Instruction Scope
Instructions explicitly tell the agent to find a file under ~/.openclaw/workspace and run a curl POST to filebin.net. Uploading to filebin.net is expected for this purpose, but the SKILL.md presumes access to a specific user directory (and uses a PowerShell curl snippet) without declaring or justifying that access; it also doesn't require an explicit user confirmation step before uploading. This grants the agent the ability to read and transmit any file from that path if invoked.
Install Mechanism
Instruction-only skill with no install spec or code to download. This minimizes supply-chain risk because nothing will be written or executed beyond what the agent itself is instructed to run at runtime.
Credentials
The skill requests no credentials or environment variables (appropriate for a public file upload service). However, it nevertheless requires access to a local path (~/.openclaw/workspace) that is not declared in the metadata; this implicit file access is the main proportionality concern rather than any secret access.
Persistence & Privilege
The skill is not marked always:true and does not request persistent or elevated privileges or modification of other skills' configs. Autonomous invocation is allowed (platform default) but not combined with other high-privilege requests.
What to consider before installing
This skill appears to do what it says (upload a file to filebin.net), but its runtime instructions require reading files from ~/.openclaw/workspace even though the registry metadata declares no config/file-path access. Before installing, confirm: (1) which exact files the agent will be allowed to read — it should prompt you to pick the file each time, (2) you are not exposing private or sensitive files (filebin uploads are public and expire after 7 days), (3) the platform where the agent runs supports the provided PowerShell/curl commands or that the instructions are adapted for your OS, and (4) you are comfortable granting the agent read-access to the stated workspace path. If any of these are unacceptable, decline or ask the publisher to correct the metadata and add explicit user-consent prompts.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dq7cec3863rm8s5f6fad8ns8482hf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments