ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

File Writer

v1.0.0

Safely write or append text content to files ONLY in /home/alfred/.openclaw/workspace/scratch. Creates backups before overwriting ({filename}.bak, .bak.1, et...

0· 99·0 current·0 all-time
by@nagilem
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to be limited to /home/alfred/.openclaw/workspace/scratch and to text files only, which is reasonable. However, the bundled script (scripts/backup_file.sh) and references/safety.md introduce inconsistencies: safety.md allows .py files while SKILL.md's Quick Start list does not, and the bash backup script accepts an arbitrary FULL_PATH and will operate on any path it is given. That means the code included with the skill does not itself enforce the declared directory restriction, creating a plausible path for misuse if the agent or a user passes an absolute or outside-scratch path to the script. These mismatches are disproportionate to the simple 'scratch file writer' purpose.
Instruction Scope
SKILL.md contains clear runtime instructions (sanitize relative paths, confirm overwrites, create backups, limit size, allowed extensions). It sensibly requires confirmations and size limits. Two concerns: (1) fallback instructions suggest constructing shell commands like echo "[content]" > [full_path], which can be unsafe if content is not escaped and could lead to shell interpretation or accidental execution; (2) the included backup script's behavior (cp using the provided FULL_PATH) is not constrained by the same sanitization rules described in the instructions, so if the agent calls it incorrectly it can act outside stated scope.
Install Mechanism
No install spec (instruction-only with a small bundled script). This is low-risk from an installation perspective because nothing is downloaded or written at install time.
Credentials
The skill requests no environment variables, credentials, or special config paths — appropriate for a local file-writing helper. It does rely on agent tools ('read', 'write', 'exec') which are normal for skills that manipulate files; those capabilities should be reviewed in the agent environment but are not disproportionate to the stated purpose.
Persistence & Privilege
always is false and the skill does not request permanent/privileged presence. It does not attempt to modify other skills or system-wide agent settings. Autonomous invocation is allowed by default; this is normal but consider the other flagged issues before enabling autonomous use.
What to consider before installing
This skill is not clearly malicious, but it has inconsistencies and a small risk of being misused. Before installing or enabling autonomous use: (1) reconcile allowed extensions (SKILL.md lists .txt/.md/.log/.json; references/safety.md also includes .py — decide whether .py is allowed and update docs and code accordingly); (2) update scripts/backup_file.sh so it enforces the same base_dir restriction (reject or canonicalize paths outside /home/alfred/.openclaw/workspace/scratch) and produce backup filenames that match the documented pattern (e.g., file.bak, file.bak.1); (3) ensure any content passed into shell fallbacks is safely escaped or avoided — prefer the agent's native 'write' tool over generating echo/>> shell commands; (4) test edge cases (no extension, many dots, symlinks, absolute path attempts, ../ attempts) to confirm sanitization works end-to-end; (5) if you enable autonomous invocation, limit or monitor the agent's ability to call 'exec' or the backup script until the above fixes are applied. If you want, I can produce a corrected backup script and a stricter path-validation snippet to replace the bundled script.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cp9vfg2n321dv5nvzj188m5832c6h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

File Writer Skill

Quick Start

  • Base directory: /home/alfred/.openclaw/workspace/scratch. All paths relative to this (e.g., "notes.txt" or "subdir/log.md").
  • Sanitize: Reject if path contains '../', starts with '/', or has non-text extensions (allow only .txt, .md, .log, .json).
  • Primary tools: 'write' for saving, 'read' for checks/backups, 'exec' for mkdir -p (fallback to message if unavailable).
  • Mode: Write (default/overwrite with backup), append (if specified).

Step-by-Step Workflow

  1. Parse query: Extract rel_path (e.g., "subdir/notes.txt"), content, mode (write/append; infer from phrases like "update" = write).
    • If missing (e.g., "write that information"), use message to ask for rel_path/content.
  2. Sanitize: Validate rel_path (no escapes, safe extension). Compute full_path = base_dir + rel_path.
  3. Create subdirs if needed: Extract parent from rel_path; call 'exec'("mkdir -p [base_dir]/[parent]") or message: "Please run mkdir -p [full_parent] and confirm."
  4. Check existence (call 'read' on full_path):
    • If exists and write mode: Create backup (read content, find unique .bak.N path, 'write' to it).
    • Confirm overwrite/append: Use message ("Confirm [action] on [file]? Yes/No").
  5. Execute:
    • Write: 'write' full_path with content.
    • Append: 'read' existing, concatenate content, 'write' back.
  6. Handle errors: Reply with details; log via message ("Wrote [bytes] to [full_path] at [timestamp]").
  7. If tools fail, fallback: Message requesting user runs echo "[content]" > [full_path] or >> for append.

Safety Guidelines

  • Limits: Max 50k chars; reject binary/large.
  • Backups: Always for overwrites; increment .bak.N until unique (e.g., check with 'read').
  • Sensitive paths: If contains 'secret' or 'key', double-confirm.
  • No auto-mkdir if exec unavailable: Require user confirmation/action.
  • See references/safety.md for patterns.

Edge Cases

  • Empty content: Reject with "Content required."
  • Non-existent for append: Treat as write.
  • Existing .bak: Increment (e.g., .bak.1, .bak.2; use loop with 'read' to find next).
  • Invalid path: "Invalid: Must be relative text file in scratch."
  • Large content: Reject or chunk (multiple writes if over limit).

Bundled Resources

  • scripts/backup_file.sh: Fallback Bash for creating backups if tools limited.
  • references/safety.md: Sanitization and confirmation patterns.

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…