← Back to Skills Marketplace
1413
Downloads
0
Stars
14
Active Installs
1
Versions
Install in OpenClaw
/install file-browser
Description
Read-only file browsing and reading in the OpenClaw workspace (/home/alfred/.openclaw/workspace). Use for listing directories or reading text files (up to 10...
README (SKILL.md)
File Browser Skill
Quick Start
Resolve all paths relative to WORKSPACE=/home/alfred/.openclaw/workspace. Sanitize inputs to prevent escapes or absolutes.
- To list directory: exec("scripts/list_files.sh", [rel_path]) → JSON {success: bool, data: array of names, error: string}
- To read file: exec("scripts/read_file.sh", [rel_path]) → JSON {success: bool, data: string (text content), error: string}
- Handle errors: For binary/large/non-text files, return error JSON.
Step-by-Step Workflow
- Parse user query for action (list/read) and relative path.
- Call appropriate script with sanitized rel_path.
- Parse JSON output; respond to user with results or error message.
- If path invalid or outside workspace, reject immediately.
Safety Guidelines
- Enforce read-only: No writes, deletes, or exec beyond scripts.
- Log accesses if verbose mode enabled.
- For large files (>10k chars), truncate or summarize.
Edge Cases
- Empty path: Default to "." (workspace root).
- Binary file: Return error "Non-text file".
- See references/examples.md for more (if added).
Bundled Resources
- scripts/list_files.sh: Bash wrapper for ls.
- scripts/read_file.sh: Bash wrapper for cat with limits.
Usage Guidance
This skill generally does what it says, but do not install blindly: the scripts allow symlink traversal (a file inside the workspace that is a symlink could let the skill read files outside the workspace) and build JSON by directly embedding filenames and file contents without proper escaping (filenames or file contents with quotes/newlines/backslashes can corrupt JSON or be abused). Recommended mitigations before use: 1) resolve and verify the absolute path (e.g., realpath or readlink -f) and ensure it has the workspace prefix to block symlink/outside reads; 2) refuse to follow symlinks or explicitly check for and reject symlinks if you want strict confinement; 3) produce JSON safely (use a JSON encoder such as jq, Python's json.dumps, or printf with proper escaping) rather than interpolating raw data; 4) harden filename handling (handle newlines and quotes, or return names via null-separated output); and 5) validate parsed JSON before using results. If you cannot patch the scripts, consider running the skill in a restricted environment or rejecting it. Confidence is medium — code is small and readable, but the above issues are real and should be fixed before trusting the skill with sensitive workspace contents.
Capability Analysis
Type: OpenClaw Skill
Name: file-browser
Version: 1.0.0
The skill provides file browsing and reading capabilities within a restricted workspace, but it contains a vulnerability in the manual construction of JSON responses in 'scripts/list_files.sh' and 'scripts/read_file.sh'. Because file contents and filenames are not escaped before being inserted into the JSON string, a file containing double quotes or JSON-like structures could cause the agent to misinterpret the output, leading to indirect prompt injection. While the path sanitization correctly checks for '..' and absolute paths, the improper output encoding is a flaw that could be exploited to manipulate the agent's behavior.
Capability Assessment
Purpose & Capability
Name, description, SKILL.md, and included scripts align: the skill only lists and reads files under /home/alfred/.openclaw/workspace and declares no extra dependencies or credentials.
Instruction Scope
SKILL.md restricts to relative paths and read-only operations and the scripts generally enforce these checks, but the scripts do not prevent symlink traversal (a workspace-file that is a symlink can point outside the workspace) and they emit JSON by interpolating raw filenames/file contents without escaping, which can break parsing or enable JSON injection. There is no handling for filenames containing quotes, newlines, or other special characters.
Install Mechanism
No install spec; instruction-only with two small scripts. No external downloads or package installs are performed.
Credentials
No environment variables, credentials, or config paths are requested. This is proportionate to a read-only file browser.
Persistence & Privilege
Skill is not always-enabled and uses normal invocation. It does not request elevated or persistent privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install file-browser - After installation, invoke the skill by name or use
/file-browser - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Version 1.0.0
- Major update: Introduces a new read-only file browsing skill for the OpenClaw workspace.
- Adds scripts for listing directories and reading text files within the workspace.
- Skill description and usage instructions now reflect security restrictions and available actions.
- Old SKILL.md and broader file management functionality removed; focus narrowed to basic browse and read operations only.
Metadata
Frequently Asked Questions
What is file-browser?
Read-only file browsing and reading in the OpenClaw workspace (/home/alfred/.openclaw/workspace). Use for listing directories or reading text files (up to 10... It is an AI Agent Skill for Claude Code / OpenClaw, with 1413 downloads so far.
How do I install file-browser?
Run "/install file-browser" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is file-browser free?
Yes, file-browser is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does file-browser support?
file-browser is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created file-browser?
It is built and maintained by Nagilem (@nagilem); the current version is v1.0.0.
More Skills