← Back to Skills Marketplace
hitman86r

Share One-Time Link

by Hitman86R · GitHub ↗ · v1.2.0 · MIT-0
cross-platform ⚠ suspicious
144
Downloads
0
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install share-onetime-link
Description
Generate public one-shot or time-limited download links for files using a local Express server exposed via Cloudflare Tunnel. Links are tokenized, expire aut...
Usage Guidance
This skill appears to implement a legitimate one-time sharing server, but review and act on the following before installing/running it: - Treat SHARE_SECRET as mandatory and strong: the server will not run without it (server.js exits if SHARE_SECRET is unset). Do not rely on the registry summary — set a strong secret and SHARE_PUBLIC_URL explicitly. - Be cautious what files you instruct the skill or an agent to share: share-file.js will copy any path you provide into the shared directory and expose it via a public link. Do not share private keys, credentials, or other sensitive files. - Verify the public hostname and Cloudflare Tunnel configuration yourself (cloudflared must be present and you must run the tunnel). Ensure the public URL in SHARE_PUBLIC_URL matches your tunnel's hostname. - The start.sh warning is misleading: it prints a warning when SHARE_SECRET is unset, but server.js will exit if it truly isn't set. Do not assume the server is protected unless you've set and tested SHARE_SECRET. - Run the server in an isolated environment (or sandbox/workspace) if you want to test, and review logs to confirm files are deleted after download/expiry. If you want a cleaner metadata posture, ask the publisher to fix the registry env-vars to match SKILL.md and to correct start.sh behavior so it cannot be misinterpreted as safe when SHARE_SECRET is missing.
Capability Analysis
Type: OpenClaw Skill Name: share-onetime-link Version: 1.2.0 The skill provides a file-sharing service that exposes a local Express server to the public internet via a Cloudflare Tunnel. While the implementation includes security controls such as mandatory secret-based authentication (SHARE_SECRET), tokenized one-time links, and automatic file deletion in server.js, the inherent capability to create a public tunnel for local file access is a high-risk behavior. The share-file.js script facilitates moving any accessible file into the public-facing directory, which could be leveraged for data exfiltration if the agent is manipulated into sharing sensitive files like SSH keys or configuration data.
Capability Tags
crypto
Capability Assessment
Purpose & Capability
The code (server.js + share-file.js) and required binaries (node, cloudflared) align with the stated purpose of creating tokenized one-time links via an Express server exposed through Cloudflare Tunnel. However the registry summary at the top claims 'Required env vars: none' while SKILL.md and the server require SHARE_SECRET and SHARE_PUBLIC_URL — this metadata mismatch is inconsistent and worth clarifying.
Instruction Scope
Runtime instructions and scripts will copy arbitrary files you point to into the SHARED_DIR and then request the server to generate a public /dl/<token> URL. That behavior is expected for a sharing tool, but it also enables exfiltration of any local file you ask it to share (e.g., system keys). The SKILL.md also suggests conversational agent invocation ('Just ask naturally'), which could cause an agent with file access to add and share sensitive files if allowed. The server enforces a secret for /generate and /status, but start.sh warns about missing SHARE_SECRET in a misleading way (it prints a warn and then runs node server.js — though server.js will exit if SHARE_SECRET is unset).
Install Mechanism
There is no remote install/download step: all code is included with the skill and dependencies are installed via npm locally. No network-based install from arbitrary URLs is present. This is lower risk than an installer that pulls remote archives.
Credentials
The environment variables requested by the SKILL.md (SHARE_PUBLIC_URL, SHARE_SECRET, optional SHARE_PORT and SHARED_DIR) are proportional to the task. But the registry metadata claims no required env vars, which contradicts the SKILL.md and server.js (server.js refuses to start without SHARE_SECRET). This inconsistency could cause a user to run the skill unprotected by accident if they rely on registry metadata. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It creates a local shared/ directory (relative to the skill) and deletes files after download/expiry; it does not modify other skills or system-wide settings.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install share-onetime-link
  3. After installation, invoke the skill by name or use /share-onetime-link
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.0
Security fix: SHARE_SECRET is now mandatory (server exits if not set); added env_vars to registry metadata; removed unprotected endpoint bypass; aligned install mechanism declaration
v1.1.1
Packaging fix: exclude node_modules and package-lock.json from published bundle to reduce false positive security alerts
v1.1.0
Security fix: /generate and /status endpoints now protected by SHARE_SECRET; declare required env vars in SKILL.md; add warning when secret is not set
v1.0.0
Initial release: public one-shot download links via Cloudflare Tunnel, configurable TTL, auto-cleanup
Metadata
Slug share-onetime-link
Version 1.2.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 4
Frequently Asked Questions

What is Share One-Time Link?

Generate public one-shot or time-limited download links for files using a local Express server exposed via Cloudflare Tunnel. Links are tokenized, expire aut... It is an AI Agent Skill for Claude Code / OpenClaw, with 144 downloads so far.

How do I install Share One-Time Link?

Run "/install share-onetime-link" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Share One-Time Link free?

Yes, Share One-Time Link is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Share One-Time Link support?

Share One-Time Link is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Share One-Time Link?

It is built and maintained by Hitman86R (@hitman86r); the current version is v1.2.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463368 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259467 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200457 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191163 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190189 · by oswalpalash

💬 Comments