← Back to Skills Marketplace
252
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install us3-uploader-encrypted
Description
Upload files to UCloud US3 (UFile) object storage and generate download URLs. 当用户需要:上传文件、发送文件、分享文件、生成文件链接、把文件发给用户、导出文件、 生成PDF/图片/文档后发送、任何文件产出需要给用户时,必须使用此 ski...
Usage Guidance
This skill appears to implement a legitimate US3 uploader, but there are concerning inconsistencies and privilege choices you should address before installing: (1) Fix the metadata: declare required environment variables and the primary credential so the platform can surface what secrets the skill needs. (2) Remove or justify always:true — prefer user-invoked only unless you have a clear reason to force inclusion. (3) If you must provide keys, create a dedicated, least-privilege API key and a single bucket used only for this purpose; do not provide high-privilege account keys. (4) Review and, if desired, vendor-lock the runtime dependency (replace runtime pip install with a declared install spec or bundle a pinned dependency) to avoid unexpected downloads. (5) Test in an isolated environment and verify the script only uploads intended files and the signed URLs behave as expected. If you cannot or will not correct the metadata and remove always:true, treat the skill as high-risk and avoid supplying production credentials.
Capability Analysis
Type: OpenClaw Skill
Name: us3-uploader-encrypted
Version: 1.0.0
The skill bundle provides a utility to exfiltrate files from the local sandbox to UCloud US3 storage. While this aligns with its stated purpose, `SKILL.md` contains aggressive, imperative instructions forcing the AI agent to upload all file outputs, which could be leveraged to exfiltrate sensitive data. Furthermore, `scripts/upload_to_us3.py` uses `os.system` to install the `ufile` SDK at runtime, which is a risky execution pattern that could be exploited if the package name were manipulated.
Capability Assessment
Purpose & Capability
The skill's stated purpose (upload files to UCloud US3) matches the provided script and docs. However the registry metadata declares no required environment variables or primary credential while the SKILL.md and the script require US3_PUBLIC_KEY, US3_PRIVATE_KEY and US3_BUCKET. That mismatch (declared vs. actual requirements) is incoherent and should be corrected before trusting the skill.
Instruction Scope
SKILL.md explicitly instructs the agent to always upload any produced file and to run python3 scripts/upload_to_us3.py <file>. The script reads arbitrary file paths given to it and environment secrets, and will auto-install the ufile SDK if missing. The 'always upload' mandate combined with an auto-installing script increases the chance of accidental/excessive uploads (including sensitive files) and unexpected network activity.
Install Mechanism
No install spec in registry (instruction-only), but the included script will attempt to run 'pip3 install -q ufile' at runtime via os.system if the SDK is missing. Installing packages at runtime over the network is a moderate risk (unreviewed code pulled from PyPI) and should be called out.
Credentials
The environment variables required by the script (US3_PUBLIC_KEY, US3_PRIVATE_KEY, US3_BUCKET, optional US3_ENDPOINT and US3_MAX_FILE_SIZE_MB) are appropriate for the uploader's function, but the registry metadata does not advertise them. The script requires a private API key (sensitive). Combined with the skill being always-included, this raises a real risk: a loaded skill with access to a PRIVATE_KEY could be invoked unexpectedly and upload files or generate signed URLs.
Persistence & Privilege
The skill is marked always:true in its metadata, meaning it will be force-included in every agent run. That privilege combined with access to a private API key and an instruction that 'any produced file must be uploaded' is disproportionate — most uploader skills do not need to be always-enabled. This increases blast radius for accidental or malicious file uploads.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install us3-uploader-encrypted - After installation, invoke the skill by name or use
/us3-uploader-encrypted - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
us3-uploader-encrypted 1.0.0
- Initial release: upload files to UCloud US3 object storage and generate signed download URLs.
- Enforces file uploads for all output files, preventing sending inaccessible sandbox paths to users.
- Features timestamp and MD5-based file renaming, signed URLs (7-day validity), and configurable file size limit (default 50MB).
- Includes auto-installation for the UCloud SDK and direct URL output for users.
- Detailed setup instructions and security guidance provided in documentation.
Metadata
Frequently Asked Questions
What is us3-uploader-encrypted?
Upload files to UCloud US3 (UFile) object storage and generate download URLs. 当用户需要:上传文件、发送文件、分享文件、生成文件链接、把文件发给用户、导出文件、 生成PDF/图片/文档后发送、任何文件产出需要给用户时,必须使用此 ski... It is an AI Agent Skill for Claude Code / OpenClaw, with 252 downloads so far.
How do I install us3-uploader-encrypted?
Run "/install us3-uploader-encrypted" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is us3-uploader-encrypted free?
Yes, us3-uploader-encrypted is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does us3-uploader-encrypted support?
us3-uploader-encrypted is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created us3-uploader-encrypted?
It is built and maintained by qianjunye (@qianjunye); the current version is v1.0.0.
More Skills