file-batcher-tool
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: file-batcher-tool Version: 1.0.0 The skill provides batch file management utilities but contains a shell injection vulnerability in the `find_large` function within `scripts/batcher.sh`. Specifically, the `$size` variable is used unquoted in a `find` command, which could allow for arbitrary command execution if the input is manipulated. While the tool's capabilities are aligned with its stated purpose, this lack of input sanitization in a shell-based tool poses a security risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user asking to convert images could lose the original files unexpectedly.
The conversion command removes the original image after creating the new format. The SKILL.md describes this as image conversion but does not disclose that originals will be deleted.
convert "$file" "${file%.*}.$format" && rm "$file" && ((count++))Disclose that conversion replaces/removes originals, or preserve originals by default. Add an explicit confirmation or dry-run mode before deleting files.
A mistaken or adversarial size argument could cause unintended filesystem behavior when searching for large files.
The user-controlled size value is inserted into a find command without validation or quoting, so malformed input could alter the find expression rather than only set a size threshold.
local size="${2:-100M}" ... find "$folder" -type f -size +$size -exec ls -lh {} \;Parse the --size option correctly, validate it against a strict size pattern, and pass it as a single quoted argument such as -size "+$size".
The conversion feature may fail until the user installs an external package.
The script requires ImageMagick for conversion at runtime, but the registry requirements declare no required binaries.
if ! command -v convert &> /dev/null; then ... Install: brew install imagemagick
Declare ImageMagick as an optional or required dependency and advise users to install it only from trusted package managers.