← Back to Skills Marketplace
uf2.net URL Shortener
by
S. Rob Beck
· GitHub ↗
· v1.0.1
487
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install uf2-net
Description
Create, manage, and track custom short URLs with uf2.net API; links never expire and provide click counts and public stats via simple REST calls.
Usage Guidance
This skill appears to do what it says: a small CLI wrapper around uf2.net. Before installing: (1) be aware it requires your uf2.net API key (UF2_API_KEY) — prefer adding that to a secure secret store rather than plaintext shell profiles, (2) the package metadata does not list the required env var (UF2_API_KEY) although the SKILL.md and script require it — treat that as a bookkeeping error and confirm your environment handling, and (3) the included script builds JSON bodies by naive string concatenation (no escaping). That can break on inputs containing quotes/newlines and could cause malformed requests; if you accept untrusted input into the script, consider improving it to safely escape JSON (for example using jq --arg or printf with proper escaping). If you rely on this skill in an automated agent, ensure the agent's secret storage and policy enforce secure handling of UF2_API_KEY and review the script changes above.
Capability Analysis
Type: OpenClaw Skill
Name: uf2-net
Version: 1.0.1
The skill is classified as suspicious due to critical command injection vulnerabilities found in `scripts/uf2.sh`. The `cmd_create` function directly interpolates user-provided arguments (`url`, `slug`, `title`) into a JSON string without proper shell escaping, which allows for arbitrary command execution via `$(command)` injection. Additionally, `cmd_list`, `cmd_get`, and `cmd_delete` are vulnerable to URL parameter and path injection due to direct interpolation of user input into `curl` arguments. These are significant vulnerabilities, but there is no clear evidence of intentional malicious behavior (e.g., data exfiltration, backdoors) by the skill itself, only flaws that allow an attacker to exploit the agent running the script.
Capability Assessment
Purpose & Capability
The skill's name/description (uf2.net URL shortener) match the provided SKILL.md, API reference, and scripts: it performs link create/list/get/delete and requires an API key. However, registry metadata at the top of the package states 'Required env vars: none' and 'Primary credential: none' while SKILL.md and scripts explicitly require UF2_API_KEY — this mismatch should be corrected.
Instruction Scope
Runtime instructions are narrowly scoped to interacting with the uf2.net API via curl and the included scripts. The SKILL.md does not instruct the agent to read unrelated files or exfiltrate data to unexpected endpoints; it only references storing/using the UF2_API_KEY and using the official uf2.net endpoints.
Install Mechanism
This is an instruction-only skill with an included shell script; there is no install spec that downloads or executes remote archives or packages. No high-risk install URLs or extraction steps are present.
Credentials
The script and SKILL.md require a single API credential (UF2_API_KEY), which is appropriate for the stated functionality. The concern is the package-level metadata does not declare this required environment variable; that inconsistency could cause automation or permission checks to miss that a secret is needed. Also the SKILL.md suggests adding the API key to shell profile as one persistence option — users should prefer secure stores.
Persistence & Privilege
The skill does not request always:true or elevated/system-wide privileges and does not modify other skills or system-wide settings. It runs as an on-demand CLI wrapper using environment-provided credentials.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install uf2-net - After installation, invoke the skill by name or use
/uf2-net - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Security and metadata improvements: (1) Declared UF2_API_KEY as required credential in frontmatter metadata, (2) Added comprehensive credential management section with secure storage recommendations, (3) Removed references to storing keys in plain text files, (4) Added service details (homepage, TLS, docs), (5) Added security notes section documenting link visibility and constraints, (6) Added source/homepage metadata fields. Addresses registry security review feedback.
v1.0.0
Initial release: Create, manage, and track short URLs via uf2.net API. Includes CLI wrapper, full API docs, and tracking support.
Metadata
Frequently Asked Questions
What is uf2.net URL Shortener?
Create, manage, and track custom short URLs with uf2.net API; links never expire and provide click counts and public stats via simple REST calls. It is an AI Agent Skill for Claude Code / OpenClaw, with 487 downloads so far.
How do I install uf2.net URL Shortener?
Run "/install uf2-net" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is uf2.net URL Shortener free?
Yes, uf2.net URL Shortener is completely free (open-source). You can download, install and use it at no cost.
Which platforms does uf2.net URL Shortener support?
uf2.net URL Shortener is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created uf2.net URL Shortener?
It is built and maintained by S. Rob Beck (@setdemos); the current version is v1.0.1.
More Skills