Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Local File Manager 1.0.0
v1.0.0Read, write, append, and list local files in the session's working directory. Use when you need to persist output to disk, read input files, or manipulate fi...
⭐ 0· 0·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose (file read/write within session cwd) mostly matches the code's operations, but the package metadata is inconsistent: skill.json declares Python entrypoints and dependencies and points 'main' at non-existent Python scripts, while the package actually includes a TypeScript entry and a bash script. _meta.json ownerId differs from the registry owner. These mismatches make it unclear which files are authoritative and why Python is required.
Instruction Scope
SKILL.md promises sandboxing to the session cwd, a 10MB size limit, and use of certain env vars. The runtime pieces conflict: the bash script logs to ~/.openclaw/logs (outside cwd), there is no enforcement of FILE_MANAGER_MAX_SIZE in the shell script, and the README examples include absolute paths (e.g., /var/log/automation.log) that contradict the 'sandboxed to cwd' claim. The TypeScript launcher builds a shell command by joining raw args without quoting/escaping, allowing user-supplied content to inject arbitrary shell commands.
Install Mechanism
There is no install spec (instruction-only style), which is lower risk. However, index.ts executes an absolute script path hard-coded to /Users/nico/.openclaw/... instead of the included relative path scripts/file_manager.sh. That absolute path is unusual and brittle — on some hosts it may inadvertantly execute a different script at that location or fail to run the bundled script.
Credentials
The skill declares no required environment variables yet SKILL.md documents FILE_MANAGER_MAX_SIZE, FILE_MANAGER_LOG and FILE_MANAGER_DRY_RUN and the script reads FILE_MANAGER_LOG; those env vars are not declared. skill.json restricts file permissions to ~/.openclaw/workspace/** but the script writes logs to $HOME/.openclaw/logs by default, a path outside the stated permissions. This mismatch means the skill will access locations not reflected in its declared permissions.
Persistence & Privilege
The skill is not force-enabled (always:false) and can be user-invoked or invoked autonomously (default). It writes to a persistent log file under the user's home (~/.openclaw/logs/file-manager.log) which gives it a footprint outside the session cwd. That behavior is not inherently malicious but is inconsistent with 'no cloud sync' / 'sandboxed to cwd' messaging and should be considered by users.
What to consider before installing
Do not install or enable this skill until the maintainers fix the inconsistencies and the shell-injection risk. Specific items to ask or require: 1) Fix index.ts to execute the bundled script via a relative path (no hard-coded /Users/nico path) and/or use an argv array API (spawn with args) instead of building a single shell command string so user content cannot inject shell commands. 2) Make skill.json accurate (remove nonexistent Python requirements or include the promised Python files), and align permissions with actual paths used (logs, workspace). 3) Implement and document enforcement of FILE_MANAGER_MAX_SIZE in the runtime. 4) Decide and document whether logs are written to home and declare that in permissions; allow configuring log path. 5) Remove misleading examples that suggest writing to absolute system paths unless explicitly allowed. If you must use it before fixes, run the skill in a tightly confined sandbox with no access to sensitive files and monitor what files it writes; treat it as untrusted code.Like a lobster shell, security has layers — review code before you run it.
latestvk97517gxy4q2fee3q0bgg7xgwx851rmj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.