file-sender
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill mostly matches its file-delivery purpose, but it can proactively send workspace files without explicit user confirmation and has a weak workspace-boundary check.
Review this skill before installing. It appears designed for legitimate file delivery, but you should confirm each package before sending, avoid selecting broad directories that may contain secrets, and periodically clean `.file-outbox/` if sensitive files are delivered.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Files from the workspace may be packaged and delivered through the Manager even when the user did not specifically request a download, increasing the chance of accidental disclosure of unintended files.
The skill instructs autonomous file-delivery behavior without requiring explicit user approval for each send.
Even if the user doesn't explicitly ask for file delivery, you should proactively trigger this skill whenever you generate deliverable artifacts in the workspace.
Require explicit user confirmation before each delivery, especially for directories, and show the exact path and intended contents before sending.
If similarly named sibling directories exist, the agent could package and deliver files outside the documented workspace boundary.
The validation uses a raw prefix match, so a path like /home/node/workspace_backup would pass even though it is outside the intended workspace directory.
WORKSPACE_PREFIX="/home/node/workspace"
[[ "$REAL_PATH" != "$WORKSPACE_PREFIX"* ]] && { echo "❌ 仅允许 $WORKSPACE_PREFIX 下的文件"; exit 1; }Use a path-boundary check such as allowing only the exact workspace path or paths beginning with /home/node/workspace/, and keep the documentation aligned with that behavior.
The skill needs a Manager-issued token to register file deliveries. The artifacts do not show hardcoded credentials or unrelated token use.
The script uses an instance-specific bearer token to notify the Manager; this is expected for the stated delivery workflow, but it is still delegated authority.
-H "Authorization: Bearer ${OPENCLAW_FILE_PUSH_TOKEN}"Ensure the token is scoped only to file delivery for this instance and that the registry metadata accurately declares the required environment variables.
Sensitive files included in a delivery may remain stored in the workspace outbox after the user receives them.
Delivered archives and descriptions remain on disk after packaging, which can retain sensitive content beyond the immediate task.
Files are persisted locally to `.file-outbox/` first — even if notification fails, the files are safe.
Review and clean `.file-outbox/` when deliveries contain sensitive material, or add a documented retention/cleanup policy.
The delivery flow relies on Manager infrastructure to retrieve and forward the ZIP, so file contents pass through that service path.
File contents are ultimately transferred through the Manager/Agent delivery path, which is purpose-aligned but should be visible to users.
Manager pulls — Manager's background task pulls the ZIP from the Agent and forwards it
Install only if you are comfortable with Manager-mediated file delivery, and verify the Manager URL is trusted and controlled by the expected OpenClaw environment.