← 返回 Skills 市场
2. Check Configuration (
26
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install cloudinary-cli
功能描述
Upload files and images to Cloudinary via CLI. Use when user wants to upload local files or images to Cloudinary CDN, especially when needing automatic image...
使用说明 (SKILL.md)
Cloudinary CLI Uploader
Upload local files or remote URLs to Cloudinary with automatic image compression support.
Workflow
1. Check Installation
Check if the CLI binary exists at ./cloudinary-cli (project root). If not, run the install script:
bash .agents/skills/cloudinary-cli/scripts/install.sh
If Go is not installed, prompt the user to install Go first.
2. Check Configuration (.env)
Check if cmd/cli/.env exists and contains all required variables. If any are missing, prompt the user for the missing values and write them to cmd/cli/.env.
Required variables:
CLOUDINARY_CLOUD- Cloudinary cloud nameCLOUDINARY_KEY- API keyCLOUDINARY_SECRET- API secret
Optional variables:
CLOUDINARY_DIRECTORY- Upload folder (default: root)CLOUDINARY_COMPRESS- Auto-compress images:true/false(default:true)
3. Upload Files
Run the upload script with file paths:
bash .agents/skills/cloudinary-cli/scripts/upload.sh \x3Cfile1> [file2] ...
Or run the CLI directly:
cd cmd/cli && ../../cloudinary-cli file1.jpg file2.png
The CLI automatically:
- Compresses images when
CLOUDINARY_COMPRESS=true - Leaves non-image files untouched
- Supports both local paths and remote URLs
Image Compression
When CLOUDINARY_COMPRESS is true (default), images are uploaded with Cloudinary q_auto transformation for automatic quality optimization. Supported image formats: jpg, jpeg, png, gif, webp, bmp, tiff, svg, ico, heic, heif, avif.
To disable compression for a specific upload, temporarily set CLOUDINARY_COMPRESS=false in .env.
安全使用建议
Key things to consider before installing/running this skill:
- Metadata mismatch: the skill metadata does not declare required Cloudinary credentials, but the runtime requires CLOUDINARY_CLOUD, CLOUDINARY_KEY, and CLOUDINARY_SECRET. Treat this as a warning sign and verify expected requirements before proceeding.
- Secrets handling: the scripts expect a plaintext file at cmd/cli/.env and will export its contents into the environment. Do not store production credentials in plaintext in the repo. Prefer using a secure secret store or ephemeral/test keys.
- Source-to-binary risk: install.sh builds whatever is at ./cmd/cli in the discovered project root (it finds the nearest go.mod by walking up). If you run this inside a repository you don't fully trust, the build could produce and run code you didn't review. Inspect the cmd/cli source before building or run the build in an isolated environment.
- Inconsistency between docs and code: SKILL.md claims the agent will prompt for missing env values and write them, but upload.sh actually errors if .env is missing. Expect manual setup (creating .env) unless you add a safer prompting/writing flow.
- If you decide to use it: audit the cmd/cli source (the Go code), ensure .env is kept out of commits (add to .gitignore), and use least-privilege Cloudinary credentials (rotate/delete keys after testing).
功能分析
Type: OpenClaw Skill
Name: cloudinary-cli
Version: 1.0.0
The skill contains a shell injection vulnerability in 'scripts/upload.sh' due to the insecure method of loading environment variables using 'export $(grep -v '^#' "$ENV_FILE" | xargs)'. Because 'SKILL.md' instructs the AI agent to prompt the user for credentials and write them directly into the '.env' file, a malicious user or prompt could inject shell commands into the configuration values that would execute when the script is run. While the tool's purpose of uploading to Cloudinary is legitimate, the lack of input sanitization in the wrapper scripts poses a security risk.
能力标签
能力评估
Purpose & Capability
The SKILL.md and scripts implement a Cloudinary CLI uploader and require CLOUDINARY_CLOUD/KEY/SECRET, and a local Go build of ./cmd/cli — that is coherent with the stated purpose. However the skill metadata declares no required environment variables or primary credential while the runtime explicitly needs Cloudinary API credentials; this metadata mismatch is misleading.
Instruction Scope
Instructions direct the agent to read and export cmd/cli/.env and to build/run a local binary. SKILL.md says the agent should 'prompt the user for missing values and write them to cmd/cli/.env', but the provided upload.sh script does not implement prompting/writing (it errors out if .env is missing). The scripts export the entire .env into the environment (export $(grep -v '^#' "$ENV_FILE" | xargs)), which can leak secrets to any child processes. The installer/search logic walks up the filesystem to find go.mod, which can pick up a different project root than the user expects.
Install Mechanism
There is no registry install; install.sh runs a local 'go build -o cloudinary-cli ./cmd/cli/' after locating a go.mod. This is low-risk in that it doesn't download arbitrary binaries, but it will compile whatever source exists at ./cmd/cli in the discovered project root — potentially building unintended or malicious code if the workspace contains untrusted source.
Credentials
The required credentials (CLOUDINARY_CLOUD, CLOUDINARY_KEY, CLOUDINARY_SECRET) are appropriate for a Cloudinary uploader, but the skill metadata omits these requirements. The runtime practices (writing/reading a plaintext cmd/cli/.env and exporting all variables) raise the risk of accidental credential exposure (committing .env to source control or leaking to child processes).
Persistence & Privilege
The skill is not always-enabled and does not request system-wide persistence or modify other skills. It runs on-demand and builds/executes a local binary — normal for a CLI helper.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install cloudinary-cli - 安装完成后,直接呼叫该 Skill 的名称或使用
/cloudinary-cli触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of the Cloudinary CLI upload skill:
- Upload local files or remote URLs directly to Cloudinary via CLI.
- Supports automatic image compression using Cloudinary's `q_auto` transformation.
- Batch uploads and both image/non-image file handling.
- Prompts for required Cloudinary credentials and configuration if missing.
- Simple shell scripts for installation and upload workflow.
元数据
常见问题
Cloudinary Cli 是什么?
Upload files and images to Cloudinary via CLI. Use when user wants to upload local files or images to Cloudinary CDN, especially when needing automatic image... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 26 次。
如何安装 Cloudinary Cli?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install cloudinary-cli」即可一键安装,无需额外配置。
Cloudinary Cli 是免费的吗?
是的,Cloudinary Cli 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Cloudinary Cli 支持哪些平台?
Cloudinary Cli 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Cloudinary Cli?
由 Bryce(@mnhkahn)开发并维护,当前版本 v1.0.0。
推荐 Skills