Skill Trust Decision
file-transfer-thru-local-workspace
Skill provides legitimate file transfer functionality but exhibits undisclosed credential harvesting behavior and hardcoded path vulnerability that exposes sensitive configuration data.
Most direct threat evidence
High Credential Theft
Undeclared credential file access Both install.sh and upload-server.js read ~/.openclaw/openclaw.json to extract authentication tokens. This credential harvesting is not declared in SKILL.md or documented as a capability.
install.sh:44 Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
4 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
1 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 0 attack-chain steps and 2 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
What drove the risk score up
Undeclared credential file access +20
install.sh and upload-server.js read ~/.openclaw/openclaw.json to extract tokens - this is not declared in SKILL.md or package.json permissions
Hardcoded path vulnerability +15
upload-server.js line 31: hardcodes '/home/admin/.openclaw/' path, bypassing HOME env and potentially reading wrong user's config
Process environment credential exposure +10
install.sh passes GATEWAY_AUTH_VALUE as env var to node process, visible in process listing (ps eww)
Skill enumeration/download without security warning +7
Can enumerate and download all installed skills, potentially exposing API keys stored in other skills' configs
Most important evidence
High Credential Theft
Undeclared credential file access
Both install.sh and upload-server.js read ~/.openclaw/openclaw.json to extract authentication tokens. This credential harvesting is not declared in SKILL.md or documented as a capability.
install.sh:44 Document why openclaw.json is accessed. Consider using a service account instead of gateway credentials.
High Sensitive Access
Hardcoded user path creates information disclosure
upload-server.js has a hardcoded path '/home/admin/.openclaw/' that bypasses the HOME environment variable. This can cause the skill to read the wrong user's configuration file if HOME is unset or different.
src/upload-server.js:31 Remove hardcoded path. Only use process.env.HOME and fail gracefully if not set.
Medium Priv Escalation
Skill download exposes other skills' secrets
The skill can enumerate and package all installed skill packages. Many skills contain API keys or credentials in their configs. Downloading all skills provides a credential aggregation attack vector.
src/upload-server.js:200 Implement permission checks for skill download. Warn users about credential exposure in skill packages.
Medium Doc Mismatch
Permissions mismatch between declared and actual
package.json declares 'filesystem: [write:workspace, read:skills]' but the skill actually reads openclaw.json (credential file) which is outside declared scope.
package.json:26 Update permissions to include 'read:config' or 'read:credentials' if accessing openclaw.json is intentional.
Declared capability vs actual capability
Filesystem Block
Declared WRITE (workspace only)
→ Inferred READ + WRITE
install.sh:44-45 reads openclaw.json, upload-server.js:31 has hardcoded /home/admin path Shell Block
Declared NONE
→ Inferred WRITE
upload-server.js:200 uses spawn('zip') for skill packaging Network Block
Declared listen only
→ Inferred WRITE
Server binds to 0.0.0.0:15170 serving files to any client Environment Block
Declared NONE
→ Inferred READ
install.sh extracts HOME, reads openclaw.json, passes GATEWAY_AUTH_VALUE Suspicious artifacts and egress
Medium External URL
http://127.0.0.1:15170/ SKILL.md:228
Dependencies and supply chain
There are no structured dependency warnings.
File composition
7 files · 1904 lines
HTML 1 files · 688 linesJavaScript 1 files · 511 linesMarkdown 1 files · 389 linesShell 2 files · 183 linesJSON 2 files · 133 lines
Files of concern · 4
src/upload-server.js Hardcoded user path creates information disclosure · Skill download exposes other skills' secrets
SKILL.md http://127.0.0.1:15170/
install.sh Undeclared credential file access
package.json Permissions mismatch between declared and actual
Other files · upload.html · clawhub.json · uninstall.sh
Security positives
Token authentication protects the upload/download endpoints
Path traversal protection using path.basename()
Independent uploads/ directory isolates user files
Systemd service creation provides proper Linux integration
CORS headers configured for browser security