Safety Report

File Deduplicator

Name: File Deduplicator
Rating: 3 (6 reviews)
Author: Michael-laffin

Find and remove duplicate files intelligently. Save storage space, keep your system clean. Perfect for digital hoarders and document management.

2,031Downloads

7Installs

6Stars

1Versions

Search & Retrieval2,116 File Management2,100 PDF & Documents1,388 Cloud Storage1,005

Security Analysis

medium confidence

Suspicious0.04 risk

The skill claims to safely find and remove duplicate files, but the package metadata, SKILL.md, and included code are inconsistent and the code contains multiple bugs and sloppy file operations that could lead to unintended deletions — review and test carefully before use.

Feb 11, 20266 files2 concerns

Purpose & Capabilitynote

The declared purpose (file deduplication and removal) matches the included code and README: the package contains functions to scan, hash, and remove files. However the registry metadata states 'No install spec — instruction-only' while actual source files (index.js, test.js, config.json) are packaged — this mismatch is unexpected and worth questioning the maintainer. The code's header includes an odd phrase ('Autonomous Revenue Agent') which doesn't align with the stated utility purpose (likely benign but surprising).

Instruction Scopeconcern

SKILL.md shows the agent will scan arbitrary directories and can delete or move files. That is expected for this tool, but the actual index.js implementation contains multiple coding errors (see user guidance) that show mismatches between the documented safety features (confirmation prompts, size thresholding, archive, undo log) and what's implemented. Because the skill is permitted to delete/move user files, any bugs in the implementation increase the risk of accidental data loss. The SKILL.md examples rely on awaiting async functions (await findDuplicates), but the code handling of async operations appears inconsistent — this increases chance of unexpected behavior at runtime.

Install Mechanismok

No install spec or external downloads are used; the skill is distributed as source files. This is lower risk than remote installers, but it means the shipped code will run on the user's system and should be reviewed.

Credentialsok

The skill does not request any environment variables, credentials, or config paths. There are no explicit requests to access unrelated services or secrets.

Persistence & Privilegeok

The skill does not request always:true and does not modify other skills' configurations in the provided files. It has normal, limited presence (just code executed when invoked).

Guidance

Key things to consider before installing/running: - Metadata mismatch: the registry says 'instruction-only' but this package includes executable source files (index.js, test.js). Ask the author why code is included and request a published homepage or repo for verification. - Code quality and bugs: index.js contains several coding problems that make its behavior unpredictable and potentially dangerous: - computeHash returns a Promise but in the scanning code the hash is used synchronously (no await), so hash-based grouping may not work as intended. - Several places treat file path strings as file-stat objects (e.g., accessing .size or .mtime on strings). That will throw or produce incorrect groupings. - The logic that groups by size/name appears to rely on properties that do not exist on the stored values, causing incorrect duplicate detection or skipped files. - The code does not consistently enforce configured max file size before hashing; hashing very large files could occur despite the config. - Deletion risk: SKILL.md promises safety features (confirmation prompts, archive, undo log). Because the implementation is sloppy and untested in places, those safeguards may not actually work or may be bypassed. Treat any non-trivial deletion operation as potentially destructive until you audit the code and run it in dry-run mode. - Test in an isolated environment: run the skill only on a non-production/test directory first (use dryRun:true and a small, controlled dataset). Do not enable any auto-confirm or delete action until you verify the code paths that perform deletions. Prefer running inside a VM or container and keep backups. - Code review suggestions: before trusting this skill, inspect the remainder of index.js (the provided snippet is truncated) and confirm: - Exports actually expose async functions matching the SKILL.md examples (await findDuplicates etc.). - Deletion/move code checks autoConfirm and dryRun properly, honors sizeThreshold and whitelist, and logs actions to a safe location. - All file operations handle errors safely and avoid races that could delete wrong files. - Provenance: there's no homepage or repository and the owner/slug give little context. Consider contacting the publisher for source repository and clarifications, or prefer a deduplication tool from a known source. If you want, I can: (a) list the exact lines in index.js/test.js that are problematic, (b) suggest concrete code fixes to make the tool safer (proper async/await, robust stat handling, stronger whitelisting), or (c) produce a safe audit checklist to run before invoking removal operations.

Latest Release

v1.0.0

Initial release: Find and remove duplicate files intelligently to save storage space

Popular Skills

Playwright CLI Automation

@Michael-C-Matias · 0 stars

Enrich Layer

@nicest-michael · 0 stars

deprecated ignore

@michael-stajer · 0 stars

Clawdog Backup

@Michael-crazy · 0 stars

hotbutter voice chat

@michael-stajer · 0 stars

self-improving-agent

@pskoett · 1,456 stars

Published by @Michael-laffin on ClawHub