ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ftp Sync

FTP/SFTP 同步工具。本地与远程服务器文件同步,支持增量备份。适合网站维护和服务器管理。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 27 · 1 current installs · 1 all-time installs
by@SxLiuYu
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description promise SFTP support and incremental backups, which is reasonable for an FTP sync tool. However, the included script does not implement network SFTP/FTP operations — it only simulates sync, prints warnings, and points to external tools (paramiko or rsync). The meta says python3 is required but does not declare paramiko as a dependency. This is an implementation gap (not necessarily malicious) but it is an incoherence: the skill advertises capabilities it does not actually provide.
Instruction Scope
SKILL.md gives straightforward CLI examples that run the included Python script. It does not instruct the agent to read unrelated files or credentials. It does encourage passing passwords on the command line (e.g., --password), which can leak to process listings — a privacy/security caveat but not out-of-scope for the described task.
Install Mechanism
There is no install spec (instruction-only plus one script). _meta.json lists python3 in bins which is consistent. No downloads, external install URLs, or archive extraction are present.
Credentials
The skill requests no environment variables or credentials via metadata. The runtime examples accept passwords via CLI arguments which can expose secrets (process list, shell history). The script mentions paramiko but doesn't declare it as a required dependency. No unrelated credentials are requested.
Persistence & Privilege
always is false and the skill does not request persistent or elevated platform privileges. It does not modify other skills or system-wide configs.
What to consider before installing
This skill is not obviously malicious, but it is incomplete: the Python script only simulates sync and tells you to install paramiko or use rsync to perform real transfers. Before using it, consider: 1) verify the author/source and prefer skills with explicit dependency lists (paramiko) and implemented network code; 2) avoid passing passwords on the command line (use SSH keys or prompt-based input) because CLI passwords can appear in process lists or shell history; 3) run in dry-run mode first and inspect the script to ensure it will perform only the intended operations; 4) if you need actual SFTP sync, either install paramiko yourself and audit the code changes or use a well-known tool (rsync/ssh) instead. If you expect a fully functional SFTP/incremental backup tool, ask the maintainer to implement or declare the missing network functionality and dependencies.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk973kppj3rh1v8rpy6y31vphj583144e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

FTP/SFTP Sync 🔄

本地与远程服务器文件同步。

功能

  • 📤 SFTP 上传/下载
  • 🔄 增量同步
  • 📊 同步报告
  • 🔒 支持密钥认证

使用方法

上传同步

python3 scripts/ftp_sync.py upload ./local_folder/ --host 192.168.1.1 --user root --password xxx

下载同步

python3 scripts/ftp_sync.py download /remote/folder/ --host 192.168.1.1 --user root

对比差异

python3 scripts/ftp_sync.py diff ./local/ /remote/ --host xxx

示例

# 上传网站文件
python3 scripts/ftp_sync.py upload ./dist/ --host example.com --user ftpuser --password pass123 --remote /var/www/html/

# 增量同步
python3 scripts/ftp_sync.py upload ./data/ --host example.com --user user --password pass --sync

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…