ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

NAS File Courier Skill

v1.0.0

Search files on NAS (via rclone + Tailscale) and send to user via messaging API. Triggers on file search, find file, send file, 找文件, 发文件, NAS 查找, 下载文件.

0· 258·0 current·0 all-time
byRandal@tecfancy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (NAS search + deliver via messaging) aligns with the runtime steps. However the package metadata declared no required binaries, env vars, or config paths, while SKILL.md clearly requires rclone, Tailscale (tailscale CLI and tailscale IP), jq, python3 (used for URL encoding), and (for initial setup) sudo. That mismatch is an incoherence: a consumer would legitimately need these binaries and access to rclone configuration to use this skill.
Instruction Scope
The SKILL.md instructions stay within the core purpose (search with rclone, copy to /tmp, deliver via platform MEDIA: lines, verify receipt, and mandatory cleanup). They also define safety rules (don't leak secrets, bind to Tailscale IP). Notable instruction-scope items: it starts a background HTTP server (rclone serve http) bound to the Tailscale IP and sleeps for 10 minutes, uses python3 to URL-encode names, and relies on deliver engine handling MEDIA: lines. The instructions reference rclone config (remotes with credentials) implicitly. There are minor internal inconsistencies (rclone-ops references /tmp/nas-courier/ while SKILL.md references /tmp/openclaw/nas-courier/; SKILL.md demands fuse3 dependency though operations are CLI-based).
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so it writes nothing to disk during install. That is the lowest install risk. The runtime requires external tools to be present, but nothing is installed by the skill itself.
!
Credentials
The skill declares no required credentials or config paths, yet it depends on an existing rclone remote (which implies ~/.config/rclone/rclone.conf with NAS credentials) and on messaging channels that the platform's deliver engine will use (these require bot tokens maintained elsewhere). The skill will rely on rclone accessing stored NAS credentials; the registry metadata should have declared that dependency and any config path access. The lack of declared config access (and missing required binaries like tailscale, rclone, jq, python3) is disproportionate to the stated metadata.
Persistence & Privilege
always is false, no install spec, and SKILL.md explicitly forbids modifying rclone config or system-wide settings. The skill starts short-lived background processes at runtime (rclone serve http) but requires explicit cleanup steps. No suspicious persistent privileges are requested in the registry metadata.
What to consider before installing
This skill generally does what it says (search NAS via rclone+Tailscale and send files), but the published metadata omits important runtime requirements and assumptions. Before installing or running it: 1) Confirm the runtime host has rclone, tailscale CLI, jq, python3, and a configured rclone remote (the skill depends on ~/.config/rclone/rclone.conf for NAS credentials). 2) Verify the rclone remote credentials are stored securely and that you trust the host running the agent (the skill will cause rclone to read those credentials). 3) Understand network exposure: the HTTP fallback starts a temporary rclone HTTP server bound to the Tailscale IP — any device on the same Tailscale mesh could access the link while it’s up. 4) Ask the author to update registry metadata to declare required binaries and config paths, fix the inconsistent temp-path references (/tmp/nas-courier vs /tmp/openclaw/nas-courier), and clarify whether python3 and jq are required. 5) Test with a small, non-sensitive file first to confirm MEDIA: delivery behavior and that cleanup/kill logic reliably terminates the temporary server. If you cannot verify these items or do not control the Tailscale mesh, treat the skill cautiously.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dcsmkk5f3zb1jcd3c7n002982s6bw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments