← Back to Skills Marketplace

Wenshushu File Uploader

Name: Wenshushu File Uploader
Author: gcdd1993

by 阿晨聊技术 · GitHub ↗ · v0.1.1 · MIT-0

cross-platform ⚠ suspicious

260

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install wenshushu-uploader

Description

文叔叔文件上传技能，自动上传文件到文叔叔并生成分享链接和取件码

Usage Guidance

This skill appears to do what it claims: upload files to wenshushu using the wssf CLI. Before installing or invoking it, consider: (1) do not provide sensitive system paths (e.g., ~/.ssh, /etc/*, credential files) — the skill will happily upload arbitrary files; (2) if you enable 'login' flows, a token is stored at ~/.config/wenshushu/token.txt — treat that token like a secret; (3) install.sh runs a remote installer (astral.sh) and will run pip install wssf — review these steps or run them manually in a sandbox if you have concerns; (4) if you need finer control, run upload.py manually in a constrained environment and inspect outputs before letting the agent invoke it autonomously.

Capability Analysis

Type: OpenClaw Skill Name: wenshushu-uploader Version: 0.1.1 The skill exhibits high-risk behaviors and a potential path traversal vulnerability. It includes an installation script (`install.sh`) that executes a remote script via `curl | sh` and a Python script (`scripts/upload.py`) that performs runtime package installation using `uv`. Furthermore, the `upload_file` function in `scripts/upload.py` resolves file paths without validating that they reside within the intended workspace, potentially allowing an agent to exfiltrate sensitive system files if prompted. While these capabilities are aligned with the stated purpose of uploading files to Wenshushu, the lack of path sanitization and the automated execution of remote installation logic meet the criteria for a suspicious classification.

Capability Assessment

✓ Purpose & Capability

Name/description, included scripts, and SKILL.md all describe a file uploader for wenshushu. Declared dependencies (wssf, uv) and included install.sh / upload.py are consistent with that purpose; nothing requested appears unrelated to uploading files to wenshushu.

ℹ Instruction Scope

Runtime instructions tell the agent to check file existence, call the wssf CLI, and optionally save upload records. This is coherent, but the skill will accept arbitrary filesystem paths and upload them to an external service — which is expected for an uploader but enables accidental or malicious exfiltration if the agent is given sensitive paths (e.g., SSH keys, tokens). The SKILL.md also instructs users how to extract an X-TOKEN from browser devtools and store it locally for logged uploads; that flow is optional but sensitive.

✓ Install Mechanism

No opaque downloads from unknown hosts in the package files. The automation uses a known uv installer (curl https://astral.sh/uv/install.sh) and pip install wssf==5.0.6 (PyPI). These are typical for Python tooling; running a remote installer (curl | sh) is moderately risky operationally but expected for installing uv.

ℹ Credentials

The skill does not declare unrelated environment variables or credentials. It may read/write a local token at ~/.config/wenshushu/token.txt and write upload records to ~/.openclaw/memory/wenshushu-uploads.jsonl — reasonable for its function. However, because it accepts arbitrary file paths, it can be used to transmit any local file to the remote service; treat that as a sensitive capability (not a hidden one).

✓ Persistence & Privilege

always is false and the skill does not request elevated platform privilege. It persists its own configuration/token and upload logs under user-scoped config paths (~/.config and ~/.openclaw) which is proportionate to functionality and does not appear to modify other skills or system-wide settings.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install wenshushu-uploader
After installation, invoke the skill by name or use /wenshushu-uploader
Provide required inputs per the skill's parameter spec and get structured output

Version History

v0.1.1

- Initial release of wenshushu-uploader as version 0.1.1. - Added full documentation and usage instructions (README.md, SKILL.md). - Introduced install script for environment setup (install.sh). - Implemented main upload logic in scripts/upload.py. - Added metadata description (_meta.json). - Minor update: renamed the skill internally to "wenshushu-file-uploader".

v0.1.0

- Initial release of wenshushu-uploader skill. - Enables automatic upload of files to wenshushu.cn, generating public download links and 4-digit pickup codes. - Supports both single and batch (multi-file) uploads. - Allows anonymous or logged-in uploads with optional proxy configuration. - Records upload history locally and provides management links for uploaded files. - Includes built-in wssf tool installation and configuration for first-time use.

Metadata

Slug wenshushu-uploader

Version 0.1.1

License MIT-0

All-time Installs 1

Active Installs 1

Total Versions 2

Frequently Asked Questions

What is Wenshushu File Uploader?

文叔叔文件上传技能，自动上传文件到文叔叔并生成分享链接和取件码. It is an AI Agent Skill for Claude Code / OpenClaw, with 260 downloads so far.

How do I install Wenshushu File Uploader?

Run "/install wenshushu-uploader" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Wenshushu File Uploader free?

Yes, Wenshushu File Uploader is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Wenshushu File Uploader support?

Wenshushu File Uploader is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Wenshushu File Uploader?

It is built and maintained by 阿晨聊技术 (@gcdd1993); the current version is v0.1.1.

More Skills