← Back to Skills Marketplace

Cloudflare R2 CLI

Name: Cloudflare R2 CLI
Author: zororaka00

by Web3 Hungry · GitHub ↗ · v1.0.6

cross-platform ⚠ suspicious

531

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install r2-cli

Description

Minimal Python CLI for secure upload, download, list, and delete operations on Cloudflare R2 storage using AWS Signature V4 authentication.

Usage Guidance

This skill appears to be a straightforward R2 CLI, but be careful: the registry metadata claims no required env vars while the SKILL.md and r2.py require five sensitive environment variables (account ID, access key ID, secret, bucket, region). Before installing or enabling this skill: - Treat CF_R2_ACCESS_KEY_ID and CF_R2_SECRET_ACCESS_KEY as sensitive credentials and provide them via a secure secret manager or ephemeral environment, not in persistent config or code. - Confirm the platform/registry entry is updated to declare required env vars so secrets aren't accidentally omitted or exposed by automation. - Test the script in a non-production environment first (it reads env vars at import and will exit if they are missing). - Review that the ACCOUNT_ID you supply will result in requests to *.r2.cloudflarestorage.com (the code enforces this host). - If you need least-privilege, create an access key limited to the specific bucket and operations required. If the metadata mismatch was intentional or you cannot confirm origin/trustworthiness of the skill source, do not provide production credentials.

Capability Analysis

Type: OpenClaw Skill Name: r2-cli Version: 1.0.6 The OpenClaw R2 CLI skill is classified as benign. Both the `SKILL.md` documentation and the `r2.py` source code demonstrate a strong focus on security. The skill explicitly uses environment variables for sensitive credentials, employs `defusedxml` for safe XML parsing, and critically, the `_validate_url` function in `r2.py` strictly enforces HTTPS and restricts network communication to only `cloudflarestorage.com` domains. There is no evidence of malicious intent such as data exfiltration, unauthorized execution, persistence mechanisms, or prompt injection attempts against the agent in the markdown instructions. The code is well-structured and adheres to security best practices for interacting with cloud storage.

Capability Assessment

⚠ Purpose & Capability

The declared purpose (Cloudflare R2 CLI) matches the code and instructions (upload/download/list/delete using AWS SigV4). However the registry metadata at the top of the provided manifest claims no required env vars/binaries while SKILL.md and the code require five sensitive environment variables (account id, access key id, secret, bucket, region). This metadata mismatch is incoherent and could cause automated platforms to mis-handle secrets or permissions.

ℹ Instruction Scope

SKILL.md instructs the user to set and verify environment variables and to install defusedxml if missing; those instructions stay within the stated purpose. One operational detail: the code reads required environment variables at import time and exits if they are missing, which means simply loading or invoking the skill without env vars will terminate the process — this is a behavior the runtime should be aware of but is not inherently malicious.

✓ Install Mechanism

This is an instruction-only skill with no install spec and a single Python file. It uses defusedxml (recommended to be pip-installed). No downloads from untrusted URLs or archives are present; installation risk is low.

⚠ Credentials

The skill legitimately requires Cloudflare R2 credentials (ACCESS_KEY_ID and SECRET_ACCESS_KEY, account id, bucket). Those sensitive env vars are appropriate for the stated functionality. The concern is the inconsistent registry metadata (claims no required envs) which could hide or misrepresent the need to provide secrets to the runtime. The number and type of env vars requested are otherwise proportionate to the task.

✓ Persistence & Privilege

The skill does not request permanent presence (always: false) and does not modify other skills or system-wide settings. Model invocation is allowed (default) but combined with the other findings does not by itself raise a privilege concern.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install r2-cli
After installation, invoke the skill by name or use /r2-cli
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.6

Version 1.0.6 - Added required_env_vars, primaryEnv, and primarySecretEnv entries to the skill metadata for clearer environment variable usage and secret designation. - No changes to code or functional behavior; documentation updated only.

v1.0.5

- Updated skill version to 1.0.5. - Added a source attribute pointing to r2.py in the skill metadata. - Enhanced credential metadata: credentials are now explicitly marked as required, type set to "environment", and credential variables listed. - No changes made to code or feature set.

v1.0.4

- Updated skill metadata to specify environment variable requirements and descriptions. - Added security notes and emphasized temporary session use for credentials in environment setup instructions. - Included recommendations for secure credential management in production environments (e.g., keyring, secret managers). - Improved clarity and security warnings in documentation.

v1.0.3

- Updated skill name from "cloudflare-r2-cli" to "r2-cli". - Bumped version number to 1.0.3. - No code or feature changes in this release—metadata only update.

v1.0.2

- Bumped version to 1.0.2 in skill metadata. - No functional or file changes detected.

v1.0.1

- Added structured metadata section in SKILL.md, including name, description, version, author, category, tags, runtime, dependencies, and required environment variables. - No code or functional changes; documentation only. - Improves discoverability and clarity of skill information.

v1.0.0

Initial release of Cloudflare R2 CLI Skill. - Provides a minimal Python CLI tool for Cloudflare R2 storage using S3-compatible API. - Supports secure upload, download, list, and delete of bucket objects. - Requires only Python 3.11+ and the defusedxml dependency for secure XML parsing. - Credentials and configuration handled securely via environment variables. - Enforces HTTPS, hardened HTTP client, and safe XML parsing to follow modern security best practices.

Metadata

Slug r2-cli

Version 1.0.6

License —

All-time Installs 0

Active Installs 0

Total Versions 7

Frequently Asked Questions

What is Cloudflare R2 CLI?

Minimal Python CLI for secure upload, download, list, and delete operations on Cloudflare R2 storage using AWS Signature V4 authentication. It is an AI Agent Skill for Claude Code / OpenClaw, with 531 downloads so far.

How do I install Cloudflare R2 CLI?

Run "/install r2-cli" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Cloudflare R2 CLI free?

Yes, Cloudflare R2 CLI is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Cloudflare R2 CLI support?

Cloudflare R2 CLI is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Cloudflare R2 CLI?

It is built and maintained by Web3 Hungry (@zororaka00); the current version is v1.0.6.

More Skills