Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Yunjia File Transfer
v1.0.0当用户请求文件时(如"把文件发给我"、"发个文件给我"、"把 xxx 发给我"),调用此 skill 将文件发送给用户。支持发送本地文件到当前聊天频道。
⭐ 0· 16·0 current·0 all-time
byyb1222@billyang1222
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (send local files to the chat) matches the actual behavior: SKILL.md instructs the agent to search local user directories (find / PowerShell), build absolute file paths, and call the included Python script to emit a JSON instruction that the platform uses to send files. No unrelated credentials, packages, or remote endpoints are requested.
Instruction Scope
Instructions require the agent to run filesystem search commands (find, Get-ChildItem) and to provide absolute paths; that is necessary for the stated task. The included script validates paths and checks file existence/size but does not read file contents. Potential privacy note: the script logs timestamps and file paths to stderr and appends them to /tmp/yunjia-file-transfer.log, which could expose searched file paths and metadata to other local users/processes or to system log collectors.
Install Mechanism
No install spec; this is instruction-plus-small-script only. The runtime only requires a Python interpreter present on the agent environment (SKILL.md uses python3). No downloads or external packages are fetched.
Credentials
The skill declares no environment variables or credentials. SKILL.md references common environment variables (e.g., $USERPROFILE, $HOME) only to locate user directories, which is proportionate to searching for files. There are no secrets or unrelated service keys requested.
Persistence & Privilege
always is false, and the skill does not modify other skills or system-wide settings. It does write a local log under /tmp, but it does not persist credentials or request elevated privileges.
Assessment
This skill appears to do what it says: when asked it will search local directories for absolute file paths and output a JSON instruction that the platform will use to attach/send the file in chat. Before installing or enabling it, consider: 1) It will run filesystem searches (find or PowerShell) and may access many user files when invoked — ensure you only call it when you intend to share files. 2) The included script logs file paths and file-size metadata to /tmp/yunjia-file-transfer.log and stderr; if you have concerns about local log exposure, review or modify the script's logging. 3) The skill does not itself read file contents, but the platform action 'sendFileToChat' will transmit the file to the chat — confirm that sending sensitive files is allowed. 4) Confirm python3 is available in the agent runtime and that the agent process has the necessary filesystem permissions. 5) If you want higher assurance, review the assemble_send_instruction.py code and remove or harden logging before use.Like a lobster shell, security has layers — review code before you run it.
latestvk974r6j59rthgffekry7s87q7n84m7b1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📦 Clawdis