← Back to Skills Marketplace

LMFiles

Name: LMFiles
Author: setdemos

by S. Rob Beck · GitHub ↗ · v1.0.2

cross-platform ⚠ suspicious

618

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install lmfiles

Description

Upload files to lmfiles.com and return public download links via API. Use when a user wants CLI-based file hosting, quick share links, bot-accessible file up...

README (SKILL.md)

lmfiles

Use lmfiles.com as a lightweight file host for OpenClaw/LLM workflows.

Provenance & trust

Service docs: https://lmfiles.com/docs
OpenAPI schema: https://lmfiles.com/openapi.json
API host: https://lmfiles.com

Primary credential:

LMFILES_API_KEY (required for authenticated operations)

Bootstrap credential:

LMFILES_BOOTSTRAP_TOKEN (used only for first-time account registration)

Security notes:

Treat credentials as secrets and avoid logging/pasting them.
Rotate bootstrap token if exposed.
401 Unauthorized usually means missing/invalid LMFILES_API_KEY.

Before first use (required)

Register an account once with a bootstrap token.
Save returned api_key as LMFILES_API_KEY.
Use LMFILES_API_KEY for all authenticated operations.

Quick setup:

export LMFILES_BOOTSTRAP_TOKEN="\x3Cbootstrap-token>"

curl -sS -X POST https://lmfiles.com/api/v1/accounts/register \
  -H "Content-Type: application/json" \
  -d '{"username":"my-bot","bootstrap_token":"'"$LMFILES_BOOTSTRAP_TOKEN"'"}'

# Copy api_key from response, then:
export LMFILES_API_KEY="lmf_..."

Common auth error:

401 Unauthorized = missing/invalid LMFILES_API_KEY.

Required env vars

LMFILES_API_KEY for authenticated file operations (primary credential).
LMFILES_BOOTSTRAP_TOKEN only for account registration (bootstrap credential).

Register account (one-time)

curl -sS -X POST https://lmfiles.com/api/v1/accounts/register \
  -H "Content-Type: application/json" \
  -d '{"username":"my-bot","bootstrap_token":"'"$LMFILES_BOOTSTRAP_TOKEN"'"}'

Or use helper script:

bash scripts/register.sh my-bot

Save returned api_key as LMFILES_API_KEY.

Upload file (max 100 MB)

curl -sS -X POST https://lmfiles.com/api/v1/files/upload \
  -H "X-API-Key: $LMFILES_API_KEY" \
  -F "file=@/absolute/path/to/file.ext"

Expected response includes:

file_id
url (public download link)

Download (public)

curl -L "https://lmfiles.com/f/\x3Cfile_id>" -o downloaded.file

File metadata (public)

curl -sS "https://lmfiles.com/api/v1/files/\x3Cfile_id>"

Account info and usage

curl -sS https://lmfiles.com/api/v1/accounts/me \
  -H "X-API-Key: $LMFILES_API_KEY"

List account files

curl -sS https://lmfiles.com/api/v1/accounts/me/files \
  -H "X-API-Key: $LMFILES_API_KEY"

Or helper script:

bash scripts/list.sh

Delete file (owner only)

curl -sS -X DELETE https://lmfiles.com/api/v1/files/\x3Cfile_id> \
  -H "X-API-Key: $LMFILES_API_KEY"

Or helper script:

bash scripts/delete.sh \x3Cfile_id>

Constraints

Max upload size: 100 MB.
Executable file types are rejected (for example .php, .sh, .py, .exe).
Files expire after 90 days of inactivity; downloads reset the expiry clock.
Downloads are public for anyone with the URL.

Safety checks before upload

Confirm file is safe to publish publicly.
Avoid uploading secrets or credentials.
If uncertain, ask user before upload.

Usage Guidance

This skill appears to do exactly what it says: simple curl-based helpers for lmfiles.com. Before installing or using it: 1) Verify the lmfiles.com domain and its API docs (the SKILL.md references those URLs). 2) Expect to provide LMFILES_API_KEY (and optionally LMFILES_BOOTSTRAP_TOKEN) — the registry metadata omitted those, so add them to any environment/secret store you use. 3) Remember uploads become publicly downloadable by anyone with the link — do not upload secrets or private credentials. 4) Rotate the bootstrap token after first use and store the API key securely. 5) If you need stricter privacy, confirm the service's retention/expiration and access controls. If you want, ask the publisher why the registry metadata doesn't list the required env vars so automated tooling can enforce secrets handling.

Capability Analysis

Type: OpenClaw Skill Name: lmfiles Version: 1.0.2 The skill bundle is designed for legitimate file hosting operations with lmfiles.com. However, it contains multiple shell injection vulnerabilities in its helper scripts and example commands. Specifically, `scripts/upload.sh` directly interpolates user-provided file paths into `curl -F 'file=@${FILE}'`, and `scripts/register.sh` interpolates username and bootstrap token into a JSON string within a `curl -d` argument, both without proper sanitization. These flaws could allow an attacker to execute arbitrary commands on the agent's host system if they can control the inputs to these scripts or commands, classifying it as suspicious due to critical vulnerabilities.

Capability Assessment

ℹ Purpose & Capability

Name/description (file hosting via lmfiles.com) match the actual behavior: scripts and SKILL.md call lmfiles.com endpoints for register/upload/list/delete. However the registry metadata earlier lists no required env vars/primary credential while SKILL.md and scripts clearly require LMFILES_API_KEY (and an optional LMFILES_BOOTSTRAP_TOKEN). That metadata omission is an incoherence.

✓ Instruction Scope

SKILL.md and the helper scripts only perform the documented actions (account register, upload, list, delete, metadata lookup) against https://lmfiles.com and explicitly warn about not uploading secrets. They do not attempt to read unrelated files or environment variables beyond the API/bootstrap tokens.

✓ Install Mechanism

This is instruction-only with a few small bundled Bash scripts. No installer, external downloads, or archive extraction are present; scripts are simple curl wrappers.

⚠ Credentials

The skill legitimately needs LMFILES_API_KEY for authenticated operations and LMFILES_BOOTSTRAP_TOKEN for initial registration. Those are appropriate for the service, but the registry metadata failed to declare them as required environment variables/primary credential — an inconsistency that could mislead users and automated policy checks.

✓ Persistence & Privilege

The skill does not request always:true or elevated platform privileges and does not modify other skills or system-wide settings. It runs only API calls and uses environment vars for credentials.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install lmfiles
After installation, invoke the skill by name or use /lmfiles
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.2

v1.0.2 - Added provenance and trust guidance (docs + OpenAPI links). - Declared credential roles clearly: LMFILES_API_KEY (primary) and LMFILES_BOOTSTRAP_TOKEN (bootstrap). - Added security handling notes for secrets and auth troubleshooting. - Helper scripts retained: register.sh, upload.sh, list.sh, delete.sh.

Metadata

Slug lmfiles

Version 1.0.2

License —

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is LMFiles?

Upload files to lmfiles.com and return public download links via API. Use when a user wants CLI-based file hosting, quick share links, bot-accessible file up... It is an AI Agent Skill for Claude Code / OpenClaw, with 618 downloads so far.

How do I install LMFiles?

Run "/install lmfiles" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is LMFiles free?

Yes, LMFiles is completely free (open-source). You can download, install and use it at no cost.

Which platforms does LMFiles support?

LMFiles is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created LMFiles?

It is built and maintained by S. Rob Beck (@setdemos); the current version is v1.0.2.

More Skills