← 返回 Skills 市场
zhouhouqing

Local File

作者 zhouhouqing · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
420
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install local-file
功能描述
Read, summarize, and search contents of local text, markdown, JSON, DOCX, and PDF files within authorized paths under 10MB.
使用说明 (SKILL.md)

Local File Reader\r

\r 读取本地文件内容(支持 .txt, .md, .json, .docx, .pdf 等)\r \r

触发条件\r

用户提到:读取文件、查看文件、打开文件、读一下 xxx 文件\r \r

用法\r

  • 读取:read \x3C文件路径>\r
  • 总结:summarize \x3C文件路径>\r
  • 搜索:search \x3C关键词> \x3C文件路径>\r \r

限制\r

  • 只能读取工作区和用户明确授权的路径\r
  • 大文件(>10MB)会拒绝
安全使用建议
This skill partially implements a local-file reader but has several mismatches with its documentation. Before installing or enabling it: - Ask the author to explain and remove or parameterize the hardcoded path 'D:\个人' (it appears author-specific). - Require the skill to declare OPENCLAW_WORKSPACE in its metadata if it depends on that env var. - Require the code to enforce the documented 10MB size limit and to implement (or remove) summarize and search functionality described in SKILL.md. - Request path normalization and canonicalization (use path.resolve and fs.realpath) and stronger checks (not startsWith) to prevent accidental access outside allowed roots. - Audit npm dependencies (mammoth, pdf-parse) and consider running the skill in a sandboxed environment until the above fixes are made. If the author cannot justify the hardcoded path and undeclared env usage or cannot implement the documented safeguards, treat this skill as unsafe to grant file-access to.
功能分析
Type: OpenClaw Skill Name: local-file Version: 1.0.0 The skill provides legitimate file-reading functionality but contains a significant path traversal vulnerability in `index.js`. The path validation logic uses `startsWith` against allowed roots without first normalizing the input path, which could allow an attacker to access sensitive files outside the intended directories (e.g., using `../` sequences). Additionally, the code contains a hardcoded absolute Windows path (`D:\个人`), which is atypical for a generic skill. No evidence of intentional data exfiltration or malicious backdoors was found.
能力评估
Purpose & Capability
Name/description promise: read, summarize, and search local text/markdown/JSON/DOCX/PDF under authorized paths and <10MB. The code implements text extraction for .txt/.md/.json/.docx/.pdf which aligns with the reading capability, but it does not implement 'summarize' or 'search' features. The presence of a hardcoded Windows path ('D:\个人') is author-specific and may be inappropriate for other users.
Instruction Scope
SKILL.md documents read/summarize/search commands and a 10MB file-size limit. index.js only reads and extracts text; it lacks any summarize or search logic and does not check file size. The code checks allowedRoots using a simple startsWith() test without normalizing/realpath resolution, which is a weak path restriction and could be bypassed or behave inconsistently across platforms.
Install Mechanism
There is no install spec (instruction-only style), which is low-risk for arbitrary downloads. package.json lists mammoth and pdf-parse as dependencies and package-lock.json is included. No install URLs or extract-from-URL steps are present.
Credentials
requires.env is empty in registry metadata and SKILL.md, but index.js reads process.env.OPENCLAW_WORKSPACE as an allowed root — an undeclared environment dependency. No credentials are requested, which is appropriate, but the undeclared env var and the hardcoded 'D:\个人' path are disproportionate/unexpected and should be declared and documented.
Persistence & Privilege
always is false and there are no install hooks or code that modifies agent/system configuration. The skill does not request persistent privileges beyond reading files when invoked.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install local-file
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /local-file 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Local File Reader 1.0.0 - Introduced ability to read local file contents (.txt, .md, .json, .docx, .pdf, etc). - Supports reading, summarizing, and searching file contents using simple commands. - Only reads files in the workspace or user-authorized paths. - Refuses to process large files (>10MB).
元数据
Slug local-file
版本 1.0.0
许可证
累计安装 1
当前安装数 1
历史版本数 1
常见问题

Local File 是什么?

Read, summarize, and search contents of local text, markdown, JSON, DOCX, and PDF files within authorized paths under 10MB. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 420 次。

如何安装 Local File?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install local-file」即可一键安装,无需额外配置。

Local File 是免费的吗?

是的,Local File 完全免费(开源免费),可自由下载、安装和使用。

Local File 支持哪些平台?

Local File 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Local File?

由 zhouhouqing(@zhouhouqing)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论