ClawHub

File Transfer

v0.2.0

Transfers files intelligently based on chat context with MIME validation and progress tracking, supporting Telegram and extensible channels.

0· 19·0 current·0 all-time
by@ghostwritten
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: a FileTransferSkill with a ContextEngine, FileManager, and a TelegramAdapter (simulated). The code implements MIME checks, chunking, progress tracking and context analysis as advertised. Minor metadata mismatch: registry says 'instruction-only' but the package includes full source and package.json with a GitHub repo URL.
Instruction Scope
SKILL.md instructs using the library API (import and call sendFileWithContext or adapter methods). It does not instruct reading unrelated files, environment variables, or sending data to unexpected external endpoints. The README/SKILL.md and code consistently note that Telegram integration is simulated and no bot token or external network call is performed by the current code.
Install Mechanism
No install spec in the registry, but package.json is present and references normal npm installation. There are no downloads from arbitrary URLs or extract/install steps. Dependencies are minimal and from npm (mime-types).
Credentials
The skill requests no environment variables, no credentials, and no external config paths. Example/chat IDs are provided only as parameters. The code does not attempt to read other environment secrets.
Persistence & Privilege
The skill is not always-enabled and may be invoked by the model normally. It writes temporary files under /tmp (default tempDir '/tmp/file-transfer'); this is proportionate to file transfer functionality but you should be aware it will create and delete temp files on disk while in use.
Assessment
This package appears to implement what it claims: a local, simulated file-transfer library with Telegram adapter logic but no real network/bot integration and no credential requests. Before installing: 1) prefer obtaining the package from a trusted registry or the referenced GitHub repo to confirm provenance; 2) if you later enable a real Telegram adapter, be careful where you provide the bot token (only pass it to code you trust) and verify the adapter's implementation for secure storage/usage of tokens; 3) note the library will create temp files under /tmp by default—if that is a concern set a custom tempDir; 4) the package simulates chunk data in readFileInChunks rather than streaming actual file bytes — review and modify that behavior before using with real transfers. If you want further assurance, provide the exact npm package source (registry URL or tarball) or run a dependency audit/build in an isolated environment and I can re-evaluate.

Like a lobster shell, security has layers — review code before you run it.

ai-agentvk977hj7hh4qf39xbqnvjmf47mh84evx9context-awarevk977hj7hh4qf39xbqnvjmf47mh84evx9file-transfervk977hj7hh4qf39xbqnvjmf47mh84evx9latestvk977hj7hh4qf39xbqnvjmf47mh84evx9telegramvk977hj7hh4qf39xbqnvjmf47mh84evx9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments