ClawHub

Xdrop

Security checks across malware telemetry and agentic risk

Overview

Xdrop appears to be a coherent file-transfer helper, but users should confirm the files, output folder, and Xdrop server/API URL before running it.

Before installing or invoking this skill, inspect the bundled scripts if available, ensure Bun is expected in your environment, check XDROP_SERVER/XDROP_API_URL, use explicit server/API flags for important transfers, upload only intended files or directories, and use a fresh output directory for downloads.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

A mistaken file path, directory, or server URL could upload unintended local data.

Why it was flagged

The skill is explicitly designed to read local files or directories and send them to a network server. This is purpose-aligned, but the user should verify the selected paths and destination.

Skill content
`scripts/upload.mjs` — Upload local files or directories to an Xdrop server and print the share link
Recommendation

Approve concrete commands only after checking the file or directory list and the Xdrop server/API URL.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Anyone with the full share link including the `#k=` fragment may be able to decrypt the shared files.

Why it was flagged

The share URL fragment functions as a bearer decryption secret for the transfer. Printing and passing it around is expected, but it grants access to anyone who receives it.

Skill content
Require the full share link, including `#k=...`. Without the fragment key, the transfer cannot be decrypted.
Recommendation

Treat Xdrop share links like secrets; share them only with intended recipients and avoid logging them in public places.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

Automated installation or review prompts may not clearly show that Bun and optional endpoint environment settings affect behavior.

Why it was flagged

The skill documentation and scripts rely on Bun and optional endpoint environment variables, but the registry metadata does not surface those requirements.

Skill content
No install spec — this is an instruction-only skill; Required binaries (all must exist): none; Env var declarations: none
Recommendation

Verify the bundled scripts and runtime requirements before use, and prefer explicit `--server` and `--api-url` flags when possible.