← Back to Skills Marketplace
Send Me My Files - R2 upload with short lived signed urls
by
julianengel
· GitHub ↗
· v1.0.4
2904
Downloads
2
Stars
1
Active Installs
5
Versions
Install in OpenClaw
/install r2-upload
Description
Upload files to Cloudflare R2, AWS S3, or any S3-compatible storage and generate secure presigned download links with configurable expiration.
Usage Guidance
This skill appears to do what it claims, but be aware of the practical security implications before installing:
- You must provide access keys (Access Key ID + Secret) for buckets; prefer creating bucket-scoped tokens with minimal permissions (Object Read/Write only) and avoid account-wide/admin tokens.
- The onboarding script writes ~/.r2-upload.yml containing your credentials (the script sets file mode 0600). Keep that file private and do not commit it to source control.
- The skill can read any local file path you instruct it to upload. Only upload files you intend to share and avoid giving the agent paths to sensitive system files.
- The code currently documents missing protections (no file-size limit, no file-type allowlist, minimal key sanitization). Consider using short presigned expirations (default 5m), rotate credentials if compromised, and review bucket contents regularly.
- If you need stricter controls, consider adding the recommended security checks (file size limits, key sanitization, allowed extensions) before using in a production environment.
Overall: coherent for its stated use. Use least-privilege tokens and cautious operational practices.
Capability Analysis
Type: OpenClaw Skill
Name: r2-upload
Version: 1.0.4
The skill is classified as suspicious due to its inherent powerful capabilities, specifically the ability to read and upload any local file path specified by the agent (`file_path` argument in `r2_upload` in `src/index.ts`), combined with the explicit acknowledgment in `README.md` and `SECURITY.md` of missing security controls such as file size limits, file type restrictions, and comprehensive path sanitization. While these capabilities are necessary for the skill's stated purpose of uploading files to cloud storage, their lack of internal safeguards presents a higher risk profile, as a compromised or malicious agent could exploit them for data exfiltration or denial of service without the skill itself having malicious intent.
Capability Assessment
Purpose & Capability
The name and description match the implementation: the code uses the AWS SDK to upload objects, list and delete objects, and generate presigned URLs. Required credentials (access key / secret) are collected via the local config and used only for S3/R2 endpoints. No unrelated services, binaries, or credentials are requested.
Instruction Scope
Runtime instructions and the onboarding script explicitly ask for S3/R2 credentials and instruct writing ~/.r2-upload.yml. The skill reads arbitrary local file paths (file_path) to upload — this is required for the stated purpose but means the skill can access any file the agent is instructed to upload. The code and docs also note some missing protections (no file-size enforcement, no key sanitization), which are legitimate limitations rather than incoherent behavior.
Install Mechanism
There is no remote install/download step in the skill package; dependencies are standard npm packages (AWS SDK, js-yaml, mime-types). All dependencies resolve from public registries and the package.json is consistent with the stated functionality.
Credentials
The skill does not declare required environment variables or request unrelated credentials. It uses an on-disk config file (~/.r2-upload.yml) and respects R2_UPLOAD_CONFIG and R2_DEFAULT_BUCKET overrides — these are appropriate. The onboarding flow requests only storage credentials needed to perform uploads/list/delete and tests the connection.
Persistence & Privilege
always is false and the skill does not attempt to modify other skills or system-level agent configuration. It writes a per-user config file to the home directory (mode 0600) which is expected for storing credentials for this functionality.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install r2-upload - After installation, invoke the skill by name or use
/r2-upload - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.4
Updated skill name to 'Send Me My Files - R2 upload with short lived signed urls'
v1.0.3
Added frontmatter with summary to SKILL.md for better metadata
v1.0.2
Added summary and improved descriptions for better discoverability
v1.0.1
Added security considerations to README. No code changes.
v1.0.0
Initial release: Upload files to Cloudflare R2 or any S3-compatible storage with presigned URLs. Features: multi-bucket support, configurable expiration, interactive TypeScript onboarding.
Metadata
Frequently Asked Questions
What is Send Me My Files - R2 upload with short lived signed urls?
Upload files to Cloudflare R2, AWS S3, or any S3-compatible storage and generate secure presigned download links with configurable expiration. It is an AI Agent Skill for Claude Code / OpenClaw, with 2904 downloads so far.
How do I install Send Me My Files - R2 upload with short lived signed urls?
Run "/install r2-upload" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Send Me My Files - R2 upload with short lived signed urls free?
Yes, Send Me My Files - R2 upload with short lived signed urls is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Send Me My Files - R2 upload with short lived signed urls support?
Send Me My Files - R2 upload with short lived signed urls is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Send Me My Files - R2 upload with short lived signed urls?
It is built and maintained by julianengel (@julianengel); the current version is v1.0.4.
More Skills