OCFT - OpenClaw File Transfer

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed file-transfer skill, but users should treat its peer secrets, auto-accept mode, IPFS sharing, and external npm install carefully.

Before installing, verify the npm package and GitHub source. Keep node and peer secrets private, prefer short TTLs, choose a contained download directory and max file size, and avoid using auto-accept, public chat channels, or IPFS for sensitive files unless you intend those trust and exposure tradeoffs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This markdown file documents that files from trusted peers are 'automatically accepted without manual approval', which can affect local user data and filesystem integrity. Although the behavior is described, it is not accompanied by a clear safety warning about the implications of bypassing manual approval, especially if a peer or secret is compromised.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This markdown file documents IPFS fallback, provider configuration, API keys, and public gateways, but it does not include a user-facing warning about the privacy implications of sending files through external IPFS services. Because the feature can affect user data confidentiality and involve third-party storage or gateways, the description should explicitly disclose that behavior.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal