此技能用于扫描本地目录。
Security Analysis
medium confidenceThe skill mostly does what it says (list files and sizes) but contains clear inconsistencies (hardcoded absolute paths and unexpected logging) that could cause failures or hide undesired behavior.
The stated purpose is 'scan a local directory', which matches the code's intent. However, index.js hardcodes an absolute Python script path (/home/jiajiexu/.../scripts/file_scanner.py) and a fixed python binary (/usr/bin/python3) rather than calling the bundled script relative to the skill. The registry metadata declared no required binaries, yet the code assumes python3 exists at a specific location. The hardcoded path referencing another user's home and a global node_modules layout is incoherent with a portable skill package.
SKILL.md simply instructs the agent to call the tool for directory queries — that matches behavior. But the implementation writes debug output to /tmp/openclaw_python_debug.log and logs the supplied path, which SKILL.md does not mention. The script also only returns file names and sizes (no types as index.js expects 'type' in table creation), which could lead to runtime errors or truncated output.
No install spec (instruction-only) — low install risk. However, the skill implicitly requires a Python interpreter at /usr/bin/python3 and expects the script to exist at an absolute, external path rather than the included scripts/ file. This mismatch is an implementation bug and increases operational fragility.
The skill requests no credentials or env vars, which is appropriate. But the hardcoded script path points to /home/jiajiexu/... which is unrelated to the declared package; this either indicates the package was packaged incorrectly or intentionally references a user-specific location. The Python script also writes a debug log to /tmp, which records invoked paths and could leak sensitive filesystem locations to anyone who can read /tmp.
The skill does not request persistent 'always' presence, does not modify other skills or system-wide config, and does not require elevated privileges. The only side-effect is writing an append-only debug log under /tmp, which is low-privilege but notable.
Guidance
This skill's purpose (listing files and sizes) lines up with its code, but there are red flags you should address before using it: - index.js uses a hardcoded python path and an absolute script location in /home/jiajiexu/... instead of the bundled scripts/file_scanner.py. That will likely break or point to an unexpected file. Require the author to change scriptPath to use a path relative to the skill (e.g., __dirname + '/scripts/file_scanner.py') and avoid hardcoding /usr/bin/python3 (or at least fall back to 'python3' on PATH). - The Python script logs every invocation and the provided path to /tmp/openclaw_python_debug.log. This file can leak filesystem paths or be read by others on a multi-user system. If you care about privacy, ask to remove or disable logging or write to a controlled location. - index.js builds a table expecting a 'type' field that the Python script does not return; this mismatch may cause incorrect output. Ask the author to align returned JSON with the consumer code. - Because the package source is 'unknown' and the code references another user's home path, treat this as untrusted until corrected. Prefer running it in a sandbox or requesting a corrected release that uses relative paths and documents its logging behavior. If you don't trust the author or cannot get a corrected package, do not install it system-wide. If you proceed, inspect and modify index.js to use the included scripts/ path and remove or secure the debug logging.
Latest Release
v1.0.0
Folder Inspector Skill 1.0.0 – Initial Release - 新增扫描本地目录的能力,可列出文件夹内容及文件大小。 - 支持通过绝对路径参数查询目录。 - 明确适用场景,包括查看目录内容和文件夹大小。 - 提供使用示例与参数说明。 - SKILL.md 包含中英文说明,确保易用性。
Popular Skills
Published by @JayXu-D on ClawHub
