← Back to Skills Marketplace
514
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install openclaw-skill-r2-storage
Description
Manage Cloudflare R2 object storage (upload, download, list, delete, presigned URLs) using boto3 S3-compatible API. Supports CLI usage and importable Python...
Usage Guidance
This skill appears to implement legitimate R2 functionality, but the embedded DEFAULT_ENDPOINT and hard-coded DEFAULT_ACCESS_KEY/DEFAULT_SECRET_KEY are a serious red flag. Before installing or using it: 1) Do NOT use it with any sensitive data until you confirm the credentials are safe. 2) Ask the publisher for provenance and why default keys are included; prefer a version that requires the user to supply credentials via environment variables only. 3) Treat the hard-coded keys as compromised: if you or your organization own the referenced R2 account, rotate those keys immediately. 4) If you still want the functionality, audit or rewrite the script to remove defaults and require explicit user-provided creds (or use documented secure auth), and confirm no network endpoints other than your intended R2 endpoint will receive data.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-skill-r2-storage
Version: 0.1.0
The skill is classified as suspicious due to the presence of hardcoded Cloudflare R2 access keys, secret keys, and endpoint URL within `scripts/r2.py`. While the skill's stated purpose is benign R2 storage management, the inclusion of these plain-text credentials (DEFAULT_ACCESS_KEY, DEFAULT_SECRET_KEY, DEFAULT_ENDPOINT) represents a severe credential exposure vulnerability. The `SKILL.md` further states these defaults are 'pre-configured for Marouane's account,' indicating they might be active credentials, which could lead to unauthorized access to the associated R2 storage bucket by anyone with access to this skill bundle. This is a critical security flaw, even if not explicitly designed for malicious exfiltration from the user's system.
Capability Assessment
Purpose & Capability
Name/description, SKILL.md, and the included scripts/r2.py are consistent: the skill implements S3-compatible R2 operations using boto3. However, the registry metadata declares no required environment variables while SKILL.md documents R2_* env vars and the code uses them (with defaults). The omission of required env vars from metadata is an inconsistency.
Instruction Scope
Instructions are narrowly scoped to R2 operations and CLI import usage, which matches the code. But SKILL.md states "defaults are pre-configured for Marouane's account" and the script includes DEFAULT_* credentials and a default endpoint — the instructions effectively permit and encourage use of embedded account credentials rather than only user-provided ones, which is unexpected and risky.
Install Mechanism
No install spec is provided (instruction-only skill plus a Python script). No downloads or archive extraction; risk from install mechanism is low.
Credentials
The Python script contains hard-coded DEFAULT_ACCESS_KEY, DEFAULT_SECRET_KEY, and DEFAULT_ENDPOINT values that grant access to an external R2 account if valid. The skill metadata does not require any credentials, yet SKILL.md documents environment variables for credentials — this is disproportionate and suspicious because the code will operate with embedded secrets if env vars are not set. Hard-coded credentials in a published skill can enable covert data exfiltration to the actor-controlled R2 account.
Persistence & Privilege
The skill does not request always:true, doesn't modify other skills or global agent configs, and does not claim persistent system privileges. Autonomous invocation is enabled by default (normal).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-skill-r2-storage - After installation, invoke the skill by name or use
/openclaw-skill-r2-storage - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release of the r2-storage skill for Cloudflare R2 management:
- Upload, download, list, and delete objects in R2 buckets via S3-compatible API.
- Generate pre-signed URLs for temporary, shareable object access.
- Usable both as a Python module and a command-line tool.
- Simple credential management through environment variables.
- Relies on boto3 and supports all standard usage patterns.
Metadata
Frequently Asked Questions
What is R2 Storage?
Manage Cloudflare R2 object storage (upload, download, list, delete, presigned URLs) using boto3 S3-compatible API. Supports CLI usage and importable Python... It is an AI Agent Skill for Claude Code / OpenClaw, with 514 downloads so far.
How do I install R2 Storage?
Run "/install openclaw-skill-r2-storage" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is R2 Storage free?
Yes, R2 Storage is completely free (open-source). You can download, install and use it at no cost.
Which platforms does R2 Storage support?
R2 Storage is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created R2 Storage?
It is built and maintained by Marouane (@mrnsmh); the current version is v0.1.0.
More Skills