Advanced filesystem operations - listing, searching, batch processing, and directory analysis for Clawdbot
Security Analysis
high confidenceThe skill's stated purpose (filesystem operations) is plausible, but the package/installation details and the runtime instructions conflict (missing executable, undeclared network/install requirements), so proceed with caution and verify the code before installing.
The name/description match the requested capabilities (listing, searching, batch ops). However package.json and SKILL.md imply a Node-based CLI named 'filesystem' that would be installed/run, yet no 'filesystem' binary/script is included in the published files. Also the documentation instructs cloning from GitHub and npm operations (network activity), but the skill metadata and package.json claim no network permission and only require 'node' (they do not list 'git' or 'npm' as required). These inconsistencies mean the manifest does not reliably represent what will be needed or executed.
The SKILL.md instructs the agent/user to clone a remote repo, make an executable 'filesystem', and run commands that access arbitrary paths (including examples touching /var/log, /etc). Those actions are expected for a filesystem tool, but the instructions require network access and local execution of a binary that is not present in the skill bundle. There is no instruction to validate the cloned code beyond simple chmod, so following the instructions blindly could run unreviewed code locally.
There is no formal install spec in the registry entry (instruction-only). The SKILL.md suggests 'git clone' and optional 'npm install -g .', which pulls code from a remote GitHub repo at runtime. Since no binary or install archive is bundled, the only way to obtain the runnable program is to fetch remote code. The registry metadata claims 'network: none' while the README/installation explicitly require network access — this mismatch raises risk because the actual install is a network fetch of code that will be executed locally.
The skill does not request environment variables or credentials, and the declared primary credential is none — that is proportionate for a local filesystem tool. However, package.json lists 'network': 'none' in 'clawdbot.permissions' despite installation and README requiring network access (git/npm). Also the package.json permissions claim filesystem read-write, which is expected for this functionality but underscores the risk: this skill (if installed/executed) will be able to read and copy files on the host.
The skill does not set always:true and does not request persistent elevated registry privileges. It is user-invocable and allows autonomous model invocation (the platform default). There is no evidence the skill attempts to modify other skills or system-wide agent settings in the provided files.
Guidance
This skill claims to be a CLI filesystem tool but the published package lacks the actual 'filesystem' executable referenced throughout the docs; the README and SKILL.md instruct you to git clone and run npm commands (network fetch) even though the manifest does not declare network or git/npm requirements. Before installing or running anything: 1) Inspect the remote repository (https://github.com/gtrusler/clawdbot-filesystem) yourself and verify the 'filesystem' script contents and authorship; 2) Do not run any cloned code as root — test in a sandbox/VM or container; 3) Confirm config.json protectedPaths and safety settings are enforced by the actual executable; 4) Be cautious because installing this will grant read (and copy) access to local files — avoid installing if you cannot review the code or trust the source. If you want a safer option, ask for a packaged release (verified GitHub release or an npm package) that you can audit before executing.
Latest Release
v1.0.2
Clean naming: Removed 'Clawdbot' from display name, fixed LICENSE.md extension
More by @gtrusler
Published by @gtrusler on ClawHub
