← Back to Skills Marketplace
431
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install folder-inspector
Description
此技能用于扫描本地目录。
README (SKILL.md)
Folder Inspector Skill
当用户询问“某个文件夹里有什么”、“看看这个目录下的文件大小”时使用。 输入参数为文件夹的绝对路径。
参数说明
- path: 目标文件夹的绝对路径。
使用场景
- 当用户询问“目录下有什么”或“查看文件夹大小”时,必须调用此工具。
- 如果用户给出的是相对路径,请尽量结合上下文将其转换为绝对路径。
使用示例
- "帮我看看 /home/jiajiexu 目录下有哪些大文件?"
- "查询一下 /tmp 文件夹的内容。"
Usage Guidance
This skill's purpose (listing files and sizes) lines up with its code, but there are red flags you should address before using it:
- index.js uses a hardcoded python path and an absolute script location in /home/jiajiexu/... instead of the bundled scripts/file_scanner.py. That will likely break or point to an unexpected file. Require the author to change scriptPath to use a path relative to the skill (e.g., __dirname + '/scripts/file_scanner.py') and avoid hardcoding /usr/bin/python3 (or at least fall back to 'python3' on PATH).
- The Python script logs every invocation and the provided path to /tmp/openclaw_python_debug.log. This file can leak filesystem paths or be read by others on a multi-user system. If you care about privacy, ask to remove or disable logging or write to a controlled location.
- index.js builds a table expecting a 'type' field that the Python script does not return; this mismatch may cause incorrect output. Ask the author to align returned JSON with the consumer code.
- Because the package source is 'unknown' and the code references another user's home path, treat this as untrusted until corrected. Prefer running it in a sandbox or requesting a corrected release that uses relative paths and documents its logging behavior.
If you don't trust the author or cannot get a corrected package, do not install it system-wide. If you proceed, inspect and modify index.js to use the included scripts/ path and remove or secure the debug logging.
Capability Analysis
Type: OpenClaw Skill
Name: folder-inspector
Version: 1.0.0
The `index.js` file contains a critical shell injection vulnerability. The `execSync` call directly interpolates the user-provided `args.path` into a shell command without proper sanitization, allowing arbitrary command execution on the host system. While the skill's stated purpose is benign (folder inspection), this severe lack of input validation makes the skill highly exploitable, classifying it as suspicious rather than benign. The `file_scanner.py` script also includes a debug log that writes to `/tmp/openclaw_python_debug.log`, which is a minor information leakage risk but not the primary concern.
Capability Assessment
Purpose & Capability
The stated purpose is 'scan a local directory', which matches the code's intent. However, index.js hardcodes an absolute Python script path (/home/jiajiexu/.../scripts/file_scanner.py) and a fixed python binary (/usr/bin/python3) rather than calling the bundled script relative to the skill. The registry metadata declared no required binaries, yet the code assumes python3 exists at a specific location. The hardcoded path referencing another user's home and a global node_modules layout is incoherent with a portable skill package.
Instruction Scope
SKILL.md simply instructs the agent to call the tool for directory queries — that matches behavior. But the implementation writes debug output to /tmp/openclaw_python_debug.log and logs the supplied path, which SKILL.md does not mention. The script also only returns file names and sizes (no types as index.js expects 'type' in table creation), which could lead to runtime errors or truncated output.
Install Mechanism
No install spec (instruction-only) — low install risk. However, the skill implicitly requires a Python interpreter at /usr/bin/python3 and expects the script to exist at an absolute, external path rather than the included scripts/ file. This mismatch is an implementation bug and increases operational fragility.
Credentials
The skill requests no credentials or env vars, which is appropriate. But the hardcoded script path points to /home/jiajiexu/... which is unrelated to the declared package; this either indicates the package was packaged incorrectly or intentionally references a user-specific location. The Python script also writes a debug log to /tmp, which records invoked paths and could leak sensitive filesystem locations to anyone who can read /tmp.
Persistence & Privilege
The skill does not request persistent 'always' presence, does not modify other skills or system-wide config, and does not require elevated privileges. The only side-effect is writing an append-only debug log under /tmp, which is low-privilege but notable.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install folder-inspector - After installation, invoke the skill by name or use
/folder-inspector - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Folder Inspector Skill 1.0.0 – Initial Release
- 新增扫描本地目录的能力,可列出文件夹内容及文件大小。
- 支持通过绝对路径参数查询目录。
- 明确适用场景,包括查看目录内容和文件夹大小。
- 提供使用示例与参数说明。
- SKILL.md 包含中英文说明,确保易用性。
Metadata
Frequently Asked Questions
What is Folder Inspector?
此技能用于扫描本地目录。 It is an AI Agent Skill for Claude Code / OpenClaw, with 431 downloads so far.
How do I install Folder Inspector?
Run "/install folder-inspector" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Folder Inspector free?
Yes, Folder Inspector is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Folder Inspector support?
Folder Inspector is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Folder Inspector?
It is built and maintained by JayXu-D (@jayxu-d); the current version is v1.0.0.
More Skills