← Back to Skills Marketplace
chengwang86

file-transfer-thru-local-workspace

by chengwang86 · GitHub ↗ · v3.1.1 · MIT-0
cross-platform ⚠ suspicious
360
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install file-transfer-thru-local-workspace
Description
通过网页上传下载文件至本地 workspace,支持智能认证、文件管理及技能包浏览下载,文件不离开本地服务器。
README (SKILL.md)

file-transfer-thru-local-workspace

OpenClaw 文件传输技能 - 通过网页上传/下载文件到本地 workspace,支持技能包浏览下载

🎯 与其他上传技能的区别

❌ 我们不是:

  • ❌ 云存储服务(不是上传到云端)
  • ❌ 图床服务(不是获取外链)
  • ❌ 文件分享工具(不是分享给他人)

✅ 我们是:

  • 本地传输 - 文件保存在你的机器上
  • AI 分析 - 上传后让 AI 帮你分析文件内容
  • 私有安全 - 文件不离开你的服务器
  • OpenClaw 集成 - 与你的 AI 助手无缝协作
  • 技能包管理 - 浏览、下载已安装的技能包

典型使用场景:

1. 上传 PDF → AI 总结内容
2. 上传截屏 → AI 提取文字
3. 上传日志 → AI 分析问题
4. 上传代码 → AI 审查优化
5. 下载技能包 → 备份/分享技能

功能

  • 📁 网页端文件上传/下载(支持拖拽)
  • 🔐 智能认证:自动适配 Token/Password/无认证
  • 🇨🇳 支持中文文件名
  • 🚀 一键安装,自动配置
  • 📦 独立服务,不影响 Gateway
  • 🤖 AI 自动回答上传地址
  • 📂 文件列表展示与管理
  • 🗑️ 支持文件删除
  • 🎁 技能包浏览与下载

快速开始

安装

# 方式 1: 从 ClawHub 安装(推荐)
openclaw skills install file-transfer-thru-local-workspace

# 方式 2: 本地安装
git clone \x3Crepo-url> ~/.openclaw/workspace/skills/file-transfer-thru-local-workspace
cd ~/.openclaw/workspace/skills/file-transfer-thru-local-workspace
./install.sh

使用

安装后自动启动上传服务,访问:

http://\x3Cserver-ip>:15170/?token=\x3Cyour-auth-value>

🔐 认证说明:

  • 如果你的 Gateway 配置了 token → 使用 token
  • 如果你的 Gateway 配置了 password → 使用 password
  • 如果 无认证 → 直接访问(建议配置认证)

💡 如何获取认证值:

# 查看你的认证配置
cat ~/.openclaw/openclaw.json | grep -A3 '"auth"'

询问 AI

用户可以直接问:

  • "怎么上传文件给你?"
  • "上传地址是什么?"
  • "如何发送文件?"

AI 会自动回复正确的上传地址(隐藏敏感信息)

配置

环境变量

# 可选配置,默认值如下
export UPLOAD_PORT=15170           # 上传服务端口(可自定义)
export UPLOAD_PATH="/upload"       # 上传页面路径
export WORKSPACE="~/.openclaw/workspace"  # 文件保存目录

自定义端口

如果 15170 端口被占用,可以在安装前设置:

export UPLOAD_PORT=18888
openclaw skills install file-upload

openclaw.json 配置

{
  "skills": {
    "file-upload": {
      "enabled": true,
      "port": 15170,
      "workspace": "~/.openclaw/workspace",
      "maxFileSize": "50MB",
      "autoStart": true
    }
  },
  "agents": {
    "defaults": {
      "env": {
        "UPLOAD_PORT": "15170",
        "UPLOAD_PATH": "/upload"
      }
    }
  }
}

🔐 认证兼容性

技能包支持所有 OpenClaw 认证方式:

认证方式 配置示例 技能包行为
Token 认证 "mode": "token"\x3Cbr>"token": "xxx" ✅ 自动读取 token
Password 认证 "mode": "password"\x3Cbr>"password": "xxx" ✅ 自动读取 password
无认证 auth 配置 ⚠️ 空认证(建议配置)
Tailscale "allowTailscale": true ⚠️ 空认证

前端统一使用:

http://\x3Cserver-ip>:15170/?token=\x3C认证值>

后端会自动匹配 gateway.auth.tokengateway.auth.password

详见:docs/AUTH-COMPATIBILITY.md

AI 集成

SKILL.md 指令

AI 会读取本文件,了解如何回答上传相关问题。关键指令:

## 如何回答上传地址问题

当用户询问上传文件、发送文件、上传地址时:

1. **不要直接暴露 token/password**
2. **使用占位符**:`\x3Cyour-auth-value>` 代替真实认证值
3. **提示用户从配置获取**:告诉用户在 `~/.openclaw/openclaw.json` 查找

标准回复模板:

📁 文件上传地址: http://\x3Cserver-ip>:15170/?token=\x3Cyour-auth-value>

获取认证值:

  1. 查看 ~/.openclaw/openclaw.json
  2. 找到 gateway.auth.token 或 gateway.auth.password
  3. 替换 URL 中的 \x3Cyour-auth-value>

或者直接访问:http://\x3Cserver-ip>:15170/ (无认证配置时不需要参数)

示例对话

用户: 怎么上传文件给你?

AI:

📁 你可以通过网页上传文件给我!

上传地址:
http://\x3Cserver-ip>:15170/?token=\x3Cyour-auth-value>

🔐 获取认证值:
1. 查看配置文件:~/.openclaw/openclaw.json
2. 找到 gateway.auth.token 或 gateway.auth.password
3. 替换 URL 中的 \x3Cyour-auth-value>

💡 使用步骤:
1. 打开上传地址
2. 拖拽文件到上传区域
3. 点击"上传文件"
4. 上传成功后告诉我文件名

支持中文文件名,最大 50MB。

用户: 上传地址是什么?

AI:

📤 文件上传服务已启动!

访问地址:http://\x3Cserver-ip>:15170/

认证方式:
- URL 参数:?token=\x3Cyour-auth-value>
- 认证位置:~/.openclaw/openclaw.json → gateway.auth

上传的文件会保存到:~/openclaw/workspace/uploads/
上传成功后告诉我文件名,我可以帮你分析!

用户: 我没有配置 token,怎么办?

AI:

🔐 没关系!如果你没有配置认证:

**临时使用(不推荐):**
- 直接访问:http://127.0.0.1:15170/
- 不需要认证参数

**建议配置认证:**
```bash
# 生成随机 token
openclaw doctor --generate-gateway-token

# 或手动配置
openclaw config set gateway.auth.token $(openssl rand -hex 32)

配置后重启 Gateway 即可使用认证保护。


## 目录结构

file-upload/ ├── SKILL.md # 技能说明(本文件) ├── package.json # 技能元数据 ├── install.sh # 安装脚本 ├── uninstall.sh # 卸载脚本 ├── src/ │ ├── upload-server.js # 上传服务器 │ └── upload.html # 上传页面 ├── templates/ │ └── openclaw.json.template # 配置模板 └── docs/ └── README.md # 详细文档


## 安全说明

### 认证安全
- ✅ **智能认证适配**:自动读取 token 或 password
- ✅ 认证值不在技能包中硬编码
- ✅ 认证值不在日志中明文显示
- ✅ 支持无认证降级(会提示警告)

### 文件系统安全
- ✅ 独立 `uploads/` 目录,与工作文件隔离
- ✅ 文件名 sanitization,防止路径遍历攻击
- ✅ 仅允许访问 uploads 目录
- ✅ 删除操作需要认证

### 网络安全
- ✅ CORS 头配置
- ✅ 仅监听指定端口
- ✅ 不自动暴露到公网
- ⚠️ 建议配合防火墙规则使用

详见:[SECURITY-AUDIT.md](SECURITY-AUDIT.md)

## 开发

```bash
# 本地测试
cd ~/.openclaw/workspace/skills/file-upload
node src/upload-server.js

# 查看日志
tail -f ~/.openclaw/workspace/upload-server.log

故障排查

无法访问上传页面

  1. 检查服务是否运行:
ps aux | grep upload-server
  1. 检查端口是否监听:
netstat -tlnp | grep 15170
  1. 检查防火墙:
sudo iptables -L -n | grep 15170

上传失败

  1. 查看日志:
tail -f ~/.openclaw/workspace/upload-server.log

  1. 检查认证值是否正确:

    • Token 用户:cat ~/.openclaw/openclaw.json | grep '"token"'
    • Password 用户:cat ~/.openclaw/openclaw.json | grep '"password"'

  2. 检查文件权限:

ls -la ~/.openclaw/workspace/uploads/
  1. 检查认证配置:
# 查看当前认证模式
cat ~/.openclaw/openclaw.json | grep -A3 '"auth"'

认证问题

问题: 提示 "Invalid authentication"

解决:

  1. 确认 URL 中的 token/password 与配置一致
  2. 检查是否有空格或特殊字符
  3. 重启上传服务:systemctl restart openclaw-upload

问题: 我没有配置认证

解决:

# 配置 token
openclaw config set gateway.auth.token $(openssl rand -hex 32)

# 重启 Gateway
openclaw gateway restart

许可证

MIT

更新日志

v3.1.1 (2026-03-11)

  • 🔧 修复:技能包下载超时问题 - 打包时排除 node_modules 目录
  • 🔧 修复:技能列表下载按钮 - 使用与文件列表相同的 iframe 下载方式
  • 🔐 安全:清理临时文件 - 移除 systemd 服务文件中的硬编码 token
  • 📦 优化:技能包体积 - 从 ~700KB 降至 ~30KB(排除 node_modules)

v3.1.0 (2026-03-11)

  • 新增:技能包浏览与下载 - 网页端直接查看和下载已安装的技能包
  • ✨ 技能包重命名为 file-transfer-thru-local-workspace
  • 🎨 改进:UI 增加技能包列表卡片
  • 🔐 安全:技能包下载需要认证

v3.0.1 (2026-03-10)

  • 🔧 修复:文件下载功能优化

v2.0.0 (2026-03-09)

  • 新增:智能认证适配(Token/Password/无认证)
  • ✨ 新增:独立用户文件目录 uploads/
  • ✨ 新增:Web 页面文件列表展示
  • ✨ 新增:文件删除功能
  • ✨ 新增:自动/手动刷新
  • 🎨 改进:UI 美化,文件图标
  • 🔐 安全:通过完整安全审计
  • 📚 文档:新增认证兼容性说明

v1.0.0 (2026-03-09)

  • 初始版本
  • 支持网页上传
  • 支持中文文件名
  • AI 自动回答上传地址
Usage Guidance
This skill implements a local web upload/download server and mostly matches its description, but I found several worrying inconsistencies you should address before installing: - The installer (install.sh) reads your ~/.openclaw/openclaw.json to find gateway token/password and then writes that value into /etc/systemd/system/openclaw-upload.service as an Environment variable. That effectively stores your gateway credential on disk in a system service file. The SKILL.md claims tokens aren't hard-coded—this conflicts with the actual install script. Review the install.sh and remove or alter the behavior if you do not want credentials persisted in systemd unit files. - The server sets Access-Control-Allow-Origin: * and appears intended to listen on all interfaces (install prints a non-loopback IP). If you install the service as-is it may be reachable from your LAN. If you only want local access, modify the server to bind to 127.0.0.1 or use firewall rules to restrict access. - The code spawns system zip for packaging skills and reads your workspace/skills directory for downloads. If you allow network access, an attacker or a misconfigured environment could access skills or uploaded files. Ensure proper firewalling and authentication. - If you want to proceed: inspect install.sh and src/upload-server.js line-by-line before running. Prefer the non-systemd path (run it as an unprivileged local process bound to localhost) or modify the service file template so it does NOT contain the plaintext GATEWAY token/password. You can also set UPLOAD_PORT and WORKSPACE to safe values and validate that the server binds only to localhost. - If you already installed it and worry about secrets: check /etc/systemd/system/openclaw-upload.service and remove any Environment lines containing tokens, rotate your gateway token/password, and disable the service until cleaned. Use the provided uninstall.sh to remove files and stop the service (but check the service file contents first). I rate this 'suspicious' (not outright malicious) because the functionality aligns with the advertised purpose, but the implementation makes unsafe choices and contradicts the skill's security claims. If the developer can provide a version that does not persist credentials into systemd, binds to localhost by default, and documents the exact files written, the risk would be much lower.
Capability Analysis
Type: OpenClaw Skill Name: file-transfer-thru-local-workspace Version: 3.1.1 The skill implements a 'skill browser' feature in `src/upload-server.js` that allows anyone with the gateway token to download any installed skill bundle from the filesystem as a ZIP file, which could lead to the exfiltration of secrets or configurations stored in other skills. Additionally, the `install.sh` script extracts the primary OpenClaw gateway token/password and stores it in plaintext within a systemd service file (`openclaw-upload.service`), potentially exposing the main authentication secret to other local users. While these behaviors are documented as features in `SKILL.md` and `clawhub.json`, they represent significant security risks and an expanded attack surface.
Capability Assessment
Purpose & Capability
The declared purpose (local upload/download, skill browser) matches the code that serves upload pages, manages an uploads dir, and zips skills. However the installer writes a systemd service under /etc/systemd/system and embeds Gateway auth into that file, which is a stronger system footprint than the SKILL.md and manifest suggest. The skill also reads ~/.openclaw/openclaw.json (sensitive config) even though no credentials were declared in metadata.
Instruction Scope
SKILL.md instructs the AI and users to consult ~/.openclaw/openclaw.json for auth (which is relevant), but the install script and server actively read that file and the installer injects its value into the systemd unit. The SKILL.md emphasises 'do not expose token' and claims no hard-coded tokens, yet install.sh writes an Environment=GATEWAY_AUTH_VALUE=${AUTH_VALUE} line into the unit file—contradiction and scope creep (access to user credentials and system service config).
Install Mechanism
There is no remote download, but the bundled install.sh will copy files into ~/.openclaw/workspace and attempt to create/enable/start a systemd service (writing /etc/systemd/system/openclaw-upload.service). Creating a systemd unit requires elevated rights and persists the service; the script hard-codes the auth value into that unit. This install behavior is more privileged and persistent than the manifest's 'no required env/credentials' implies.
Credentials
The package declares no required env vars/credentials, but the installer and server read ~/.openclaw/openclaw.json for gateway token/password and then persist the value into the systemd Environment line. Persisting sensitive auth into /etc/systemd/system is disproportionate to the stated goal (serving uploads) and contradicts the SKILL.md's security claims about not hard-coding tokens.
Persistence & Privilege
The skill installs a persistent systemd service (or otherwise runs as a background process) so it will run continuously. That persistence plus the hard-coded Environment=GATEWAY_AUTH_VALUE in the unit file increases blast radius: the service can serve files on the network and a credential is stored on disk in a system service file. The skill is not marked always:true, but it still gains persistent/system-level presence when installed as provided.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install file-transfer-thru-local-workspace
  3. After installation, invoke the skill by name or use /file-transfer-thru-local-workspace
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v3.1.1
file-transfer-thru-local-workspace v3.1.1 - 修复技能包下载超时问题,打包时自动排除 node_modules 目录,大幅减少包体积 - 技能列表下载按钮优化,统一使用 iframe 方式下载 - 提升安全性,移除 systemd 服务文件中的硬编码 token - 技能包体积优化,从约 700KB 降至约 30KB
Metadata
Slug file-transfer-thru-local-workspace
Version 3.1.1
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is file-transfer-thru-local-workspace?

通过网页上传下载文件至本地 workspace,支持智能认证、文件管理及技能包浏览下载,文件不离开本地服务器。 It is an AI Agent Skill for Claude Code / OpenClaw, with 360 downloads so far.

How do I install file-transfer-thru-local-workspace?

Run "/install file-transfer-thru-local-workspace" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is file-transfer-thru-local-workspace free?

Yes, file-transfer-thru-local-workspace is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does file-transfer-thru-local-workspace support?

file-transfer-thru-local-workspace is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created file-transfer-thru-local-workspace?

It is built and maintained by chengwang86 (@chengwang86); the current version is v3.1.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments