Is jlevitsk/filewave safe?

The manifest.json specifies an onInstall hook that automatically executes 'python3 lib/onboarding.py' during installation. This triggers Python code execution without explicit user consent for code to run. While onboarding.py appears to perform legitimate configuration (creating ~/.filewave/config with chmod 600), this establishes an arbitrary code execution primitive at install time that could be modified in a future update. The nine included Python library files were not fully decompiled during this audit.

The skill includes nine Python library files (api_utils.py, bulk_update_handler.py, device_analytics.py, device_cache.py, device_hierarchy.py, device_hierarchy_analysis.py, config_manager.py, query_parser.py, session_data_manager.py). API_CAPABILITIES.md documents use of ThreadPoolExecutor for parallel API fetching. These files are executed by the agent and make outbound HTTP requests to the user's FileWave server. The full source was not reviewed for secondary behavior.

Every query operation loads the complete device inventory into the agent's working context, including device names, serial numbers, UDID/IMEI identifiers, OS versions, last check-in timestamps, enrollment dates, user assignments, group memberships, compliance states, and management status for all managed devices. This sensitive organizational data is exposed in the conversation and may be logged or summarized by the agent framework beyond the operator's control.

The filewave bulk-update command issues PATCH requests to modify device names and auth_username fields for every device in a CSV file, followed by a POST to update_model which propagates changes to all managed clients. The --confirm flag bypasses the interactive confirmation prompt entirely. An AI agent given this skill could inadvertently or through prompt manipulation trigger mass device renaming and user reassignment across an entire enterprise fleet.

At timestamp 1771950235.874-875, all six credential canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were accessed within 1 millisecond of each other. The audit system's canary integrity check confirms no exfiltration occurred. The sub-millisecond access pattern across all files matches the audit system's own scheduled monitoring sweep rather than targeted reads, but this cannot be definitively attributed without full process correlation.

The connection diff shows new established TCP connections after installation: 192.168.64.9:37546 > 104.16.2.34:443 and 192.168.64.9:48496/48512 > 98.83.99.233:443, all attributed to the openclaw-gatewa process. These IPs (Cloudflare 104.16.x.x range and an AWS/cloud provider) are consistent with the Openclaw agent framework reporting a new skill installation rather than skill-specific data exfiltration, but represent new network surface area that was absent before installation.

SKILL.md was reviewed in full. No instructions to override system behavior, ignore previous instructions, suppress output, switch personas, access files beyond the skill's scope, or chain with other skills in unexpected ways were found. The document is straightforward API documentation with a disclaimer warning against production use without testing.