Back to skill
Skillv1.0.0
ClawScan security
Windows File Search Skill via Everything · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 4:48 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it documents using the Everything command-line tool (es.exe) to perform Windows file searches and does not request unrelated credentials or perform unexpected actions.
- Guidance
- This skill is coherent with its claim to use Everything (es.exe) for fast Windows searches, but take these precautions before installing/using it: only install es.exe from the official voidtools site; prefer adding the es.exe folder to your PATH rather than copying the binary into C:\Windows; be aware that running the skill lets the agent enumerate entire drives and export results (CSV files) which can contain sensitive filenames/paths — review/export destinations before running; run the tool under a least-privilege account if possible; if you do not want the agent to run searches autonomously, restrict the skill or require explicit user invocation.
Review Dimensions
- Purpose & Capability
- okThe name/description match the instructions: the SKILL.md exclusively describes invoking Everything's es.exe CLI to search, filter, sort, and export results. It does not request unrelated network services, credentials, or tools.
- Instruction Scope
- noteInstructions tell the agent to run es.exe and to read/write search results (including CSV export). That's expected for a file-search skill, but the skill will necessarily enumerate the filesystem and can export potentially sensitive file lists. The doc also recommends copying es.exe into the Windows system directory (%systemroot%), which is unnecessary and risky; adding the es.exe directory to PATH is preferable.
- Install Mechanism
- noteThere is no automated install spec (instruction-only), so nothing is written to disk by the skill itself. SKILL.md points to official voidtools.com download URLs (expected). The only mild risk is the instruction to copy es.exe to the system directory — that action involves placing a third-party binary in a privileged location and is unnecessary for normal operation.
- Credentials
- okNo environment variables, credentials, or unrelated config paths are requested. The only capabilities needed are access to run es.exe and read files/directories on the Windows filesystem, which are proportional to the described purpose.
- Persistence & Privilege
- okThe skill is not set to always: true and does not request elevated platform privileges or modify other skills' configs. Autonomous invocation is allowed by default (platform normal) — note that this means the agent could run searches without additional prompts if enabled.