Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Xdrop
v1.0.0Use this skill when the user wants to send or fetch files through an Xdrop server from the terminal, asks to automate encrypted Xdrop share-link workflows, p...
⭐ 0· 1.6k·0 current·0 all-time
byXi Xu@xixu-me
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name, description, SKILL.md, and included upload/download scripts all align: they implement encrypted Xdrop transfer upload and download workflows. Minor mismatch: SKILL.md and the scripts require the Bun runtime, but the registry metadata's required binaries list is empty (the skill will fail if Bun isn't available).
Instruction Scope
The runtime instructions stay within the stated purpose: they instruct using the bundled scripts to read local files, call the Xdrop server API, and write decrypted files to disk. One scope issue: the scripts read optional environment variables (XDROP_SERVER, XDROP_API_URL) and expect network and filesystem access — these env vars and access requirements are referenced in the code but not declared in the skill metadata. Otherwise the instructions are specific and bounded to the transfer task.
Install Mechanism
No install spec — instruction-only plus included JS scripts. Nothing is automatically downloaded or executed outside the skill directory. This is low-risk from an install mechanism perspective.
Credentials
The skill does not request credentials or secrets from metadata. The code does optionally read environment variables XDROP_SERVER and XDROP_API_URL to supply defaults — those are reasonable for this tool but should be declared. The scripts rely on filesystem and network access (expected). No unrelated third-party credentials or surprising environment variables are requested.
Persistence & Privilege
always is false and the skill does not attempt to persist itself, modify other skills, or change system-wide agent settings. It simply runs scripts that operate on user-provided files and servers.
Assessment
This skill appears to do what it says: upload and download encrypted Xdrop transfers. Before installing or running it, note the following: (1) you need the Bun runtime available on your machine (the skill metadata didn't list this as a required binary), (2) the scripts will read and write files you specify and will send uploads to whatever --server or XDROP_SERVER you provide — only point it at servers you trust because that server will receive your files, (3) the code optionally reads XDROP_SERVER and XDROP_API_URL from the environment even though the registry metadata doesn't declare these, so be mindful of those env vars if set, (4) review the included scripts yourself if you plan to upload sensitive data, or run in a sandboxed environment first. No obvious hidden endpoints or credential exfiltration were found in the provided source.scripts/download.mjs:102
Environment variable access combined with network send.
scripts/upload.mjs:191
Environment variable access combined with network send.
scripts/upload.mjs:410
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk979s3fdx7qm3bqcbxy0619hzn83mk03
License
MIT-0
Free to use, modify, and redistribute. No attribution required.