ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ftp Client Php

FTP/FTPS file manager via PHP proxy. Supports list, upload, download, delete, move, copy, mkdir, read, write. Works behind NAT/firewalls (e.g. HuggingFace) b...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 11 · 0 current installs · 0 all-time installs
by@erayai
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary (node), and the single required env var (FTP_PHP_CONFIG) are consistent with a Node-based FTP client that proxies operations through a PHP HTTP endpoint. The env JSON fields (ftp_php_domain, ftp_client_host, ftp_client_username/password, etc.) are exactly what this proxy-based design needs.
Instruction Scope
Runtime instructions and included scripts stay within the described scope (list, upload, download, read, write, delete, move, copy, mkdir). However, the runtime will: (1) read local files for uploads and --stdin content, (2) write downloaded files to local disk, and (3) transmit FTP credentials and file contents to the configured ftp_php_domain. The client also sets HTTPS option rejectUnauthorized: false (accepts self-signed certs), which reduces TLS protections if used with untrusted endpoints.
Install Mechanism
There is no packaged install step; code files are included and require only Node to run. No external downloads or installers are invoked. This is low-risk from an install mechanism standpoint (nothing fetched/executed from arbitrary URLs).
Credentials
Only one environment variable is required (FTP_PHP_CONFIG) and it contains the FTP server credentials, proxy URL, and optional API key — which are necessary for the skill to operate. That is proportionate, but it means sensitive credentials and file contents will be stored in the skill environment and sent to the configured PHP proxy, so you must trust the proxy endpoint/operator.
Persistence & Privilege
The skill is not forced-always, does not request elevated platform privileges, and does not alter other skills or global agent config. Autonomous invocation is allowed (platform default) but not combined with any suspicious persistent privileges.
Assessment
This skill appears to do what it says: it runs Node scripts that call a PHP proxy you specify and will send your FTP username/password and file contents to that proxy. Before installing: (1) only use a php proxy URL you control or fully trust — do not point to a third-party endpoint you don't administer, (2) if possible set and require ftp_php_apikey and host controls on the proxy, (3) host the PHP proxy on HTTPS with a valid certificate (the client currently allows self-signed certs by default), (4) review the PHP proxy server code (the project links to a proxy repo) so you know how it stores/uses credentials and files, (5) avoid putting long-lived secrets into shared agent environments and consider rotating credentials after use, and (6) be aware uploads read arbitrary local paths and downloads write to local disk — run with least privilege and avoid using it from multi-tenant or untrusted runtimes.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk97d30b60m8jmee90dcv4vkycs831ghe

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📂 Clawdis
Binsnode
EnvFTP_PHP_CONFIG
Primary envFTP_PHP_CONFIG

SKILL.md

FTP Client (PHP Proxy)

Full-featured FTP/FTPS client skill for OpenClaw. Routes all FTP operations through an HTTP PHP proxy server, so it works even when direct FTP connections are blocked (e.g. HuggingFace Spaces, serverless environments). Click to deploy ftp-php-proxy.

Architecture

OpenClaw ──HTTP──▶ PHP Proxy Server (api.php) ──FTP──▶ FTP Server

Environment Variable

Set FTP_PHP_CONFIG in the OpenClaw skill management panel. JSON format:

{"ftp_php_domain":"https://your-server.com/api.php","ftp_php_apikey":"","ftp_client_host":"ftp.example.com","ftp_client_port":"21","ftp_client_username":"user","ftp_client_password":"pass","ftp_client_connect_mode":"passive","ftp_client_protocol":"ftps","ftp_client_encrypt_mode":"explicit"}

Field definitions:

  • ftp_php_domain (required): Full URL of the PHP proxy api.php endpoint
  • ftp_php_apikey (optional): API key for the PHP proxy, empty string = no auth
  • ftp_client_host (required): FTP server hostname
  • ftp_client_port (optional): FTP server port, default 21
  • ftp_client_username (required): FTP login username
  • ftp_client_password (required): FTP login password
  • ftp_client_connect_mode (optional): active or passive, default passive
  • ftp_client_protocol (optional): ftp or ftps, default ftp
  • ftp_client_encrypt_mode (optional): explicit or implicit, only meaningful when protocol is ftps

Example (alwaysdata FTPS):

{"ftp_php_domain":"https://your-server.com/api.php","ftp_php_apikey":"","ftp_client_host":"ftp.example.com","ftp_client_port":"21","ftp_client_username":"user","ftp_client_password":"pass","ftp_client_connect_mode":"passive","ftp_client_protocol":"ftps","ftp_client_encrypt_mode":"explicit"}

List directory

node {baseDir}/scripts/list.mjs
node {baseDir}/scripts/list.mjs "/remote/path"
node {baseDir}/scripts/list.mjs "/" --detailed

Options:

  • --detailed or -l: Show detailed file info (size, date, permissions, type)

Download file

node {baseDir}/scripts/download.mjs "/remote/file.txt"
node {baseDir}/scripts/download.mjs "/remote/file.txt" --out "/local/save/path.txt"

Options:

  • --out <path> or -o <path>: Local save path (default: system temp directory)

Upload file

node {baseDir}/scripts/upload.mjs "/local/file.txt" --to "/remote/path/file.txt"

Options:

  • --to <path> or -t <path>: Remote destination path (required)

Write text content to remote file

node {baseDir}/scripts/write.mjs "/remote/file.txt" "file content here"
node {baseDir}/scripts/write.mjs "/remote/file.txt" --stdin < local_file.txt

Read file content

node {baseDir}/scripts/read.mjs "/remote/file.txt"

Delete file or directory

node {baseDir}/scripts/delete.mjs "/remote/file.txt"
node {baseDir}/scripts/delete.mjs "/remote/dir" --dir

Options:

  • --dir or -d: Remove directory recursively

Move / Rename

node {baseDir}/scripts/move.mjs "/remote/old.txt" "/remote/new.txt"

Copy file

node {baseDir}/scripts/copy.mjs "/remote/source.txt" "/remote/dest.txt"

Create directory

node {baseDir}/scripts/mkdir.mjs "/remote/new-dir"

File info

node {baseDir}/scripts/info.mjs "/remote/file.txt"

Notes

  • All FTP operations are proxied through your PHP server via HTTP.
  • Upload works by sending file as base64 to the PHP proxy.
  • Download retrieves base64 content from the PHP proxy and saves locally.
  • Large files are supported but limited by PHP server's upload_max_filesize and memory_limit.
  • Set FTP_PHP_CONFIG env var as a single-line JSON string.

Files

13 total
Select a file
Select a file to preview.

Comments

Loading comments…