file-classification-manager
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This file organizer is purpose-aligned, but it can broadly read and move workspace files and does not validate project paths before moving files.
Before installing, make sure you are comfortable with a skill that can reorganize workspace files. Prefer running it first in dry-run mode if available, keep backups, and avoid using broad cleanup on workspaces that contain important configuration, source, or sensitive files.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A cleanup run could unexpectedly relocate important workspace files, configuration files, or source files and disrupt a project.
The cleanup workflow enumerates root-level workspace files, reads their contents, and routes them through a function that moves them with fs.rename. This is coherent with the organizer purpose, but it is broad and lacks an evident confirmation, dry-run, or backup step.
const files = await fs.readdir(this.workspaceRoot); ... const content = await fs.readFile(fullPath, 'utf8'); ... const newPath = await this.classifyAndRouteFile(fullPath, project); ... await fs.rename(filepath, destinationPath);
Use this only on a test workspace or after backup; the skill should add a dry-run report, explicit approval before moving files, and safer include/exclude rules.
A malformed project name could route files outside the intended directory structure or create unexpected folders.
The project context is incorporated directly into destination paths and then used for file moves, with no visible validation or normalization to enforce that files remain under the intended projects/ and temp/ directories.
const projectOutputDir = path.join(this.projectsDir, projectName, 'outputs'); ... const dirs = await this.ensureProjectStructure(projectContext); ... await fs.rename(filepath, destinationPath);
Validate project names against the documented alphanumeric/underscore rule, reject path traversal segments, and verify final paths remain inside the workspace.
A persistent log could preserve names or locations of files you worked with.
The skill instructs persistent logging of file operations. This may be useful for auditability, but file names and paths can reveal sensitive project information if retained or reused later.
Log all file operations to `memory/YYYY-MM-DD.md`
Review what is logged, avoid logging sensitive filenames or paths, and clear logs when they are no longer needed.