ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ftp Client

FTP/FTPS client skill. Connect to FTP servers and perform file operations (list, upload, download, delete, move, copy, mkdir, read). Supports FTP and FTPS (e...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 39 · 0 current installs · 0 all-time installs
by@erayai
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary (node), primary env var (FTP_CONNECTION), package.json dependency (basic-ftp), and provided scripts all align with an FTP/FTPS client that lists, uploads, downloads, deletes, moves, copies, and reads files.
Instruction Scope
SKILL.md and the scripts instruct the agent to run node scripts that will access the network (FTP servers) and local filesystem (uploads, downloads, temp files). This is expected for an FTP client, but it means the skill can read arbitrary local paths when asked (and upload them to the configured FTP server) and will write temporary files during copy/download operations — consider this an exfiltration risk if untrusted commands or prompts are used.
Install Mechanism
No explicit install spec is provided in the registry metadata despite a package.json listing basic-ftp as a dependency; SKILL.md states basic-ftp is auto-installed via package.json. That is reasonable but inconsistent: the platform or operator must ensure dependencies are installed (npm install) prior to running the scripts. No remote download URLs or obscure installers are used.
Credentials
Only FTP_CONNECTION is required and it is used as expected to supply host, port, username, and password. That is proportionate. Two cautions: (1) credentials are passed in a single env var — protect it like any secret; (2) the code sets rejectUnauthorized: false for FTPS by default, allowing self-signed certificates which weakens TLS security (this is sometimes necessary for legacy FTP servers but is a security tradeoff).
Persistence & Privilege
Skill does not request permanent presence (always: false), does not modify other skills or system-wide configs, and uses only the declared env var. Normal privilege profile for a user-invocable FTP client.
Assessment
This skill appears to do what it says: it's an FTP/FTPS client implemented as Node scripts. Before installing, consider the following: - FTP_CONNECTION contains your FTP server host, user, and password; treat it as a secret and only set it for servers you trust. Use short-lived or limited-permission accounts where possible. - The scripts can read arbitrary local files (for upload or copy) and write to temporary directories; do not run the skill with commands that reference sensitive local paths unless you trust the target server and the invocation context. - FTPS TLS verification is disabled by default (rejectUnauthorized: false) to allow self-signed certs; if you require strict certificate validation, modify createFtpClient to enable verification. - There's a package.json dependency (basic-ftp) but no explicit install step in the registry metadata — ensure the runtime environment has dependencies installed (npm install) before running the scripts. - If you will allow autonomous agent invocation, remember the agent could perform FTP operations automatically using the provided FTP_CONNECTION; consider limiting autonomous use or providing credentials with minimal permissions. If you need higher assurance, request the packager to add an explicit install step, enable strict FTPS verification, and consider an option to restrict allowed local paths for uploads.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk979devbfcztvp4gqgam9x5cw58312a5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📂 Clawdis
Binsnode
EnvFTP_CONNECTION
Primary envFTP_CONNECTION

SKILL.md

FTP Client

Full-featured FTP/FTPS client skill for OpenClaw. Connect to remote FTP servers and manage files directly.

Environment Variable

Set FTP_CONNECTION in the OpenClaw skill management panel. Format (comma-separated, last 3 fields optional):

host:port,username,password,active/passive,ftp/ftps,explicit/implicit

Examples:

ftp.example.com:21,myuser,mypassword
ftp.example.com:21,myuser,mypassword,passive
ftp.example.com:990,myuser,mypassword,passive,ftps,implicit

Field definitions:

  • Field 1 (required): host:port — FTP server address and port
  • Field 2 (required): username — FTP login username
  • Field 3 (required): password — FTP login password
  • Field 4 (optional): active or passive — connection mode (default: passive)
  • Field 5 (optional): ftp or ftps — protocol (default: ftp)
  • Field 6 (optional): explicit or implicit — TLS mode for FTPS (default: not used; only meaningful when field 5 is ftps)

Note: If your password contains commas, replace them with %2C (URL-encoded). The parser will decode it.

List directory

node {baseDir}/scripts/list.mjs
node {baseDir}/scripts/list.mjs "/remote/path"
node {baseDir}/scripts/list.mjs "/" --long

Options:

  • --long or -l: Show detailed file info (size, date, permissions)

Download file

node {baseDir}/scripts/download.mjs "/remote/file.txt"
node {baseDir}/scripts/download.mjs "/remote/file.txt" --out "/local/path/file.txt"
node {baseDir}/scripts/download.mjs "/remote/dir" --dir

Options:

  • --out <path> or -o <path>: Local destination path (default: temp directory)
  • --dir or -d: Download entire directory recursively

Upload file

node {baseDir}/scripts/upload.mjs "/local/file.txt"
node {baseDir}/scripts/upload.mjs "/local/file.txt" --to "/remote/path/file.txt"
node {baseDir}/scripts/upload.mjs "/local/dir" --dir --to "/remote/dir"

Options:

  • --to <path> or -t <path>: Remote destination path (default: FTP root /)
  • --dir or -d: Upload entire directory recursively

Delete file or directory

node {baseDir}/scripts/delete.mjs "/remote/file.txt"
node {baseDir}/scripts/delete.mjs "/remote/dir" --dir

Options:

  • --dir or -d: Remove directory recursively (including all contents)

Move / Rename

node {baseDir}/scripts/move.mjs "/remote/old-name.txt" "/remote/new-name.txt"
node {baseDir}/scripts/move.mjs "/remote/file.txt" "/remote/subdir/file.txt"

Copy file

node {baseDir}/scripts/copy.mjs "/remote/source.txt" "/remote/dest.txt"

FTP protocol does not natively support copy. This downloads the file to a temp location and re-uploads it.

Create directory

node {baseDir}/scripts/mkdir.mjs "/remote/new-dir"
node {baseDir}/scripts/mkdir.mjs "/remote/path/to/deep/dir"

Creates the directory and all intermediate directories as needed.

Read file content

node {baseDir}/scripts/read.mjs "/remote/file.txt"
node {baseDir}/scripts/read.mjs "/remote/file.txt" --encoding utf8

Options:

  • --encoding <enc>: File encoding (default: utf8). Supports: utf8, ascii, latin1, base64

File info (size, date)

node {baseDir}/scripts/info.mjs "/remote/file.txt"

Returns file size and last modification date.

Notes

  • Requires node and uses the basic-ftp npm package (auto-installed via package.json).
  • Set FTP_CONNECTION env var before use.
  • Passive mode is recommended for most NAT/firewall scenarios.
  • For FTPS, the skill supports both explicit (port 21 typical) and implicit (port 990 typical) TLS.
  • Large file transfers show progress output.

Files

12 total
Select a file
Select a file to preview.

Comments

Loading comments…