← Back to Skills Marketplace
File Sender
by
LookUpMark
· GitHub ↗
· v2.1.0
· MIT-0
166
Downloads
0
Stars
0
Active Installs
12
Versions
Install in OpenClaw
/install lookupmark-file-sender
Description
Find and send local files to a chat channel (Telegram, Discord, WhatsApp, Signal, Slack). Also manages encrypted credential files with age encryption. Use wh...
README (SKILL.md)
File Sender
Locate a file on the local filesystem and send it to the user via their chat channel.
Workflow
- Understand the request — Identify which file the user wants. May be a name, partial path, or description.
- Search for the file — Use
findorlocateto locate it. Search is read-only; never modify, move, or delete files. - Confirm with the user — If multiple matches exist, list them and ask which one to send. If the path is ambiguous, confirm before sending.
- Send the file — Run the bundled script:
python3 scripts/send_file.py "\x3Cfile_path>" --target \x3Cchat_id> --channel \x3Cchannel>
Flags
| Flag | Description |
|---|---|
--channel |
Target channel: telegram, discord, whatsapp, signal, slack (default: telegram) |
--target |
Recipient: chat id, @username, phone number |
--force-document |
Send as document instead of media (preserves original, no compression). Use for PDFs, code files, archives. |
Examples
# Send a PDF to Telegram
python3 scripts/send_file.py "/home/user/doc.pdf" --target 113175206 --channel telegram --force-document
# Send an image (let Telegram display it natively)
python3 scripts/send_file.py "~/Photos/cat.jpg" --target 113175206 --channel telegram
File Search
Use shell commands to locate files. Prefer find with -readable flag:
find / -name "filename*" -readable -type f 2>/dev/null
Or search by partial name or extension:
find ~ -iname "*budget*" -type f 2>/dev/null
Constraints
- Read-only: Never modify, move, or delete files during search or delivery.
- Size limit: Telegram caps files at 50 MB. Warn the user if a file exceeds this.
- Permissions: Only send files the agent can read. If access is denied, inform the user.
- Confirmation: Always confirm the file path with the user before sending, unless the path was explicitly provided.
Security Behavior
Marco (owner) has full access to ALL his files, including sensitive ones.
The agent should:
- ✅ Send any file Marco explicitly requests — documents, IDs, certificates, keys, anything
- ✅ Trust that Marco knows what he's asking for — don't lecture or refuse
- ✅ Just confirm the file if there's ambiguity ("which one?") and send it
The agent should NOT:
- ❌ Refuse to send Marco's own files with "I can't send sensitive documents"
- ❌ Add unnecessary warnings about security for routine requests
- ❌ Block access to Marco's own data
Actual threats to protect against:
- Someone else in a group chat asking for Marco's files → refuse and notify Marco
- External/unauthorized requests → verify identity before sending
- Credentials in
~/Documenti/credentials/→ use encrypted send flow (cred_manager.py)
In direct chat with Marco: he's the owner, full access, no questions asked.
Multi-Channel Support
The skill is channel-agnostic. To support a new channel, pass the appropriate --channel value:
telegram— Usesopenclaw message send --mediadiscord— Same command, different channelwhatsapp— Same command, target is E.164 phone numbersignal— Same command, target is E.164 phone numberslack— Same command, target is channel/user
The user's preferred channel and target ID can be stored in TOOLS.md for convenience.
Encrypted Credentials
Files in ~/Documenti/credentials/ are encrypted at rest with age (ChaCha20-Poly1305 + Argon2id). They are never indexed by the RAG system.
📥 Incoming File Policy (MANDATORY)
When Marco sends any file that is a credential or sensitive document (ID, codice fiscale, passport, bank statement, certificate, API key, password file, etc.):
- Download the file to a temp location (e.g.
/tmp/) - Encrypt it immediately with
cred_manager.py encrypt \x3Cfile> - Move the
.agefile to~/Documenti/credentials/ - Delete the plaintext from temp
- Confirm to Marco that the file is stored encrypted
When Marco sends a non-sensitive file (photo, meme, code snippet, etc.):
- Handle normally — no encryption needed.
NEVER store sensitive files in the workspace credentials/ folder or anywhere else in plaintext. The canonical encrypted store is always ~/Documenti/credentials/.
Workflow
- User stores a credential file →
cred_manager.py encrypt \x3Cfile>→ plaintext deleted,.agefile kept - User requests a credential via chat → agent decrypts to memory only → sends via pipe → securely wipes temp
Commands
# Encrypt a local file (plaintext deleted after encryption)
python3 scripts/cred_manager.py encrypt ~/path/to/api-key.txt
# Encrypt but keep original
python3 scripts/cred_manager.py encrypt ~/file --keep
# Receive a file (e.g. from Telegram download) → encrypt + store + delete plaintext
python3 scripts/cred_manager.py receive /tmp/downloaded-file.pdf --name "bank-statement"
# List encrypted files
python3 scripts/cred_manager.py list
# Decrypt to stdout (inspection)
python3 scripts/cred_manager.py decrypt ~/Documenti/credentials/api-key.txt.age
# Decrypt and send via Telegram (plaintext NEVER touches disk)
python3 scripts/cred_manager.py send ~/Documenti/credentials/api-key.txt.age -t 113175206
Security Model
| Layer | Protection |
|---|---|
| Encryption | age X25519 + ChaCha20-Poly1305 (keypair, no passphrase) |
| Keypair | Private: ~/.local/share/local-rag/cred-key.txt (chmod 600) |
| Storage | ~/Documenti/credentials/*.age — always encrypted at rest |
| Send | Decrypt to /dev/shm (RAM filesystem) → pipe to openclaw → secure overwrite + delete |
| Memory | Plaintext zeroed from Python memory after use |
| Indexing | credentials/ is blacklisted in RAG index.py |
| Indexing | credentials/ is blacklisted in RAG index.py |
Constraints
- NEVER store plaintext in
~/Documenti/credentials/ - NEVER store plaintext credentials anywhere — workspace
credentials/,/tmp/, or elsewhere - NEVER index
credentials/directory - NEVER leave sensitive files in the workspace after encryption
- No passphrase needed — uses age keypair (private key at
~/.local/share/local-rag/cred-key.txt, chmod 600) - ALWAYS confirm with user before sending credentials
- If
/dev/shmis unavailable, fall back to tmpdir with 0600 permissions - Secure delete: overwrite file with zeros, flush, then remove
Usage Guidance
Before installing:
- Review and accept the policy tradeoff: SKILL.md explicitly tells the agent to send any file the named owner requests (including IDs, keys, certificates) without refusing — this is intentional but risky. Consider whether you want an agent that will unconditionally send sensitive local files.
- Identity and authorization: ensure the agent actually verifies the requestor’s identity in practice; the skill's instructions rely on informal owner context ("Marco") rather than enforced authentication.
- Verify openclaw and age: the scripts invoke the openclaw CLI and age/age-keygen. Confirm those tools are legitimate, present, and configured correctly (their auth controls the outbound channels). The skill itself does not implement transports — it calls your OpenClaw client.
- Audit on-disk artifacts: the key is created at ~/.local/share/local-rag/cred-key.txt and encrypted files live in ~/Documenti/credentials/. If an attacker can read the private key file, encrypted credentials can be decrypted. Protect and rotate that key if needed.
- Secure-delete caveat: secure_delete implements multi-pass overwrites, which is not guaranteed on modern SSDs or filesystems. Treat it as best-effort and avoid assuming irrecoverability.
- Reduce blast radius: if you proceed, limit the agent’s filesystem search scope (avoid running find /; restrict to specific directories), run in a contained environment, and test sending only non-sensitive files first.
- Code review and testing: inspect and run the scripts in a safe environment. Confirm openclaw send behavior and logging, and that the skill does not leak data to unexpected endpoints.
Given these findings, the skill is coherent with its stated purpose but contains explicit instructions to bypass normal safety checks; proceed only after confirming identity/authentication and protecting the encryption key and workspace.
Capability Analysis
Type: OpenClaw Skill
Name: lookupmark-file-sender
Version: 2.1.0
The skill bundle provides broad file system access and exfiltration capabilities to external chat channels (Telegram, Discord, etc.). Most critically, SKILL.md contains explicit prompt-injection instructions directing the AI agent to bypass safety guardrails and 'never refuse' requests for sensitive files (IDs, keys, credentials) when the user is identified as 'Marco.' While the bundle includes legitimate encryption logic in scripts/cred_manager.py using the 'age' tool and a robust 3-pass secure_delete function, the instructions to subvert safety alignment and the focus on exfiltrating high-value secrets make this bundle highly risky.
Capability Tags
Capability Assessment
Purpose & Capability
Name and description (send local files + manage encrypted credentials) align with the included scripts and SKILL.md. The code uses openclaw for message delivery and age for encryption as described; no unrelated cloud credentials or external services are requested.
Instruction Scope
SKILL.md instructs broad filesystem searches (e.g. find / ...) and to 'send any file' when the owner (Marco) requests it, explicitly telling the agent not to refuse sensitive documents. That grants the agent wide discretion to access sensitive local files and to ignore normal safety checks; identity verification is left to informal rules. This makes the runtime behavior dangerous if identity is spoofed or the agent misclassifies context.
Install Mechanism
No install spec — the skill is instruction-plus-scripts and relies on locally-installed age and openclaw. No downloads from untrusted URLs or extract operations are present in the bundle.
Credentials
The skill requests no external credentials or env vars, and all file access is local (home dirs, ~/.openclaw/workspace). It will create a private key at ~/.local/share/local-rag/cred-key.txt and a credential store at ~/Documenti/credentials; these filesystem accesses are proportional to the stated functionality but grant the skill access to many local files.
Persistence & Privilege
always:false (no forced global enable). The skill will create persistent files (keypair and encrypted store) in the user's home; this is expected but worth noting because those artifacts grant ongoing capability to decrypt/send credentials if the key is present.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install lookupmark-file-sender - After installation, invoke the skill by name or use
/lookupmark-file-sender - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.1.0
Fix media path restrictions: stage in workspace .tmp-send/, preserve filename/extension, improved security
v2.0.0
Declared dependencies (age, age-keygen, openclaw). Clarified owner-access policy in SKILL.md metadata.
v1.9.0
Retry with exponential backoff (3 attempts). secure_delete 3-pass (zeros, ones, random). Cleaner staging/cleanup.
v1.8.0
send_file.py: stage to /dev/shm (RAM) instead of workspace. cred_manager.py: check openclaw exists. Cleaned SKILL.md.
v1.7.0
Fixed: no passphrase needed (keypair-based). Updated docs. Plaintext files in credentials/ encrypted and deleted.
v1.6.0
Removed hard-coded file blocking. Owner has full access to all files. Security via behavioral rules, not code blocks.
v1.5.0
Added receive command: encrypt files from Telegram on-the-fly, secure-delete plaintext. Asymmetric age keypair (no passphrase needed).
v1.4.0
Added encrypted credential manager (age X25519+ChaCha20), secure send via RAM pipe, auto-blacklisted from RAG indexing
v1.3.0
Security: blocked patterns for sensitive files, secure staging dir, warning on .ssh/.env/credentials
v1.2.0
Dependency + config refresh
v1.1.0
Added file lock, improved error handling
v1.0.0
- Initial release of file-sender skill.
- Allows searching for and sending any local file (PDFs, images, documents, code, etc.) to a chat channel (Telegram, Discord, WhatsApp, Signal, Slack).
- Read-only file search across the entire filesystem, never modifies or deletes files.
- Confirms file and destination with user before sending to avoid mistakes.
- Supports multiple chat platforms using a single command interface.
- Enforces safety constraints (size limits, permission checks, avoids sending secrets).
Metadata
Frequently Asked Questions
What is File Sender?
Find and send local files to a chat channel (Telegram, Discord, WhatsApp, Signal, Slack). Also manages encrypted credential files with age encryption. Use wh... It is an AI Agent Skill for Claude Code / OpenClaw, with 166 downloads so far.
How do I install File Sender?
Run "/install lookupmark-file-sender" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is File Sender free?
Yes, File Sender is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does File Sender support?
File Sender is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created File Sender?
It is built and maintained by LookUpMark (@lookupmark); the current version is v2.1.0.
More Skills