Sequential Read

Read prose sequentially with structured reflections to simulate the reading experience

This skill appears to do what it claims: it reads a text file, chunks it, writes per-chunk reflections, and synthesizes a final report using only local Python scripts. Before installing or running it: (1) review or run the included scripts in a controlled environment (they write under your OpenClaw workspace, default ~/.openclaw/workspace); (2) avoid passing sensitive or private files (the session metadata stores source filenames/paths and the full text is persisted under memory/sequential_read/<session-id>/); (3) note that the pipeline spawns sub-agents and runs end-to-end without extra prompts — if you prefer manual confirmation between phases, do not use the hands-off mode or inspect/modify SKILL.md to add prompts; (4) if you want to sandbox file writes, set OPENCLAW_WORKSPACE to an isolated directory before invoking. Overall the skill is internally consistent, but treat persisted session data and autonomous execution as the main operational considerations.

Type: OpenClaw Skill Name: sequential-read Version: 1.0.0 The skill contains multiple local file inclusion (LFI) vulnerabilities due to insufficient sanitization of user-provided inputs. Specifically, `scripts/chunk_manager.py`'s `structural-chunk` command takes a user-controlled `source_file` (from `SKILL.md` and `preread/SKILL.md`) and directly `open()`s it, allowing path traversal to read arbitrary files. Similarly, `scripts/session_manager.py` and `scripts/state_manager.py` construct file paths using a user-controlled `session_id` (from `SKILL.md`), enabling path traversal for reading and writing files within the OpenClaw workspace or potentially beyond. The `LENS` parameter (user input) is also used to construct prompts for sub-agents, creating a prompt injection vulnerability. While these are critical vulnerabilities, there is no clear evidence of intentional malicious behavior such as data exfiltration to external endpoints or backdoor installation.