← 返回 Skills 市场

File Exchange via Qiniu Kodo

Name: File Exchange via Qiniu Kodo
Author: kadbbz

作者宁伟 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

101

总下载

当前安装

版本数

在 OpenClaw 中安装

/install file-exchange-via-qiniu-kodo

功能描述

Transfer files exclusively through Qiniu Kodo using qshell commands for downloading and uploading with timestamped filenames in specific directories.

使用说明 (SKILL.md)

File Exchange via Qiniu Kodo\r

\r OpenClaw 必须通过七牛云 qshell 传输文件，包含但不限于发送附件到聊天，不要用别的方式。\r \r

工具下载与认证\r

\r qshell 的下载地址，下载时请根据当前平台选择对应版本，且务必保留下载链接中的 ref 和 s_path 参数：\r \r

Linux x64: https://kodo-toolbox-new.qiniu.com/qshell-v2.18.0-linux-amd64.tar.gz?ref=developer.qiniu.com&s_path=%2Fkodo%2F1302%2Fqshell\r
Linux arm64: https://kodo-toolbox-new.qiniu.com/qshell-v2.18.0-linux-arm.tar.gz?ref=developer.qiniu.com&s_path=%2Fkodo%2F1302%2Fqshell\r
macOS arm64: https://kodo-toolbox-new.qiniu.com/qshell-v2.18.0-darwin-arm64.tar.gz?ref=developer.qiniu.com&s_path=%2Fkodo%2F1302%2Fqshell\r \r

认证\r

\r 在执行其他qshell指令前，需要使用AK和SK登录： qshell account \x3CYour AccessKey> \x3CYour SecretKey> \x3CYour Account Name>\r \r

\x3CYour AccessKey> : 从环境变量 QINIU_ACCESS_KEY 获取\r
\x3CYour SecretKey> : 从环境变量 QINIU_SECRET_KEY 获取\r
\x3CYour Account Name> : 固定为 openclaw\r \r

接收文件\r

\r 当收到以 file_input:// 开头的消息时：\r \r

从消息中提取 bucket 和文件名。示例：file_input://bname/fname.bin 中，bname 是 bucket，fname.bin 是文件名。第一个空格后的内容一律忽略。\r
下载到 Workspace 下的 file_input 目录。\r
为避免冲突，保存名必须加时间戳前缀，例如 123456_fname.bin。如果原文件名已有时间戳前缀，只替换，不重复追加。\r
用 qshell get \x3Cbucket> \x3Ckey> -o \x3Coutfile> 下载。\r
下载完成后，把该文件的绝对路径加入上下文，再按我的后续要求读取和处理该文件。\r \r

发送文件\r

\r 当你需要把文件发给我时：\r \r

用 qshell bucket openclaw-out 检查名为 openclaw-out 的Bucket 是否存在；若不存在，用 qshell mkbucket openclaw-out --region z0 --private 创建。\r
先把文件复制到 Workspace 下的 file_output 目录。\r
复制后的文件名必须加时间戳前缀，例如 123456_fname.bin。如果原文件名已有时间戳前缀，只替换，不重复追加。\r
用 qshell fput openclaw-out \x3Cnew_name> \x3Clocal_file> 上传。\r
上传成功后，只发送一条消息：file_output://openclaw-out/\x3Cnew_name>。\r
不要在这条消息前后附加解释、道歉、状态汇报或代码块。\r \r

最小约束\r

所有收发都必须走七牛云 qshell。\r
发送文件需要用单独的消息，kind 的值设置为 file，不允许和其他内容合并。\r
file_input 和 file_output 目录不存在时先创建。\r
不要改动 bucket/key 语义；下载时远端 key 是消息中的文件名，上传时远端 key 是重命名后的文件名。\r
不要声称“已做好”却同时又说上传失败。只有上传成功后才能返回 file_output://...。\r \r

官方文档\r

\r https://developer.qiniu.com/kodo/1302/qshell\r

安全使用建议

This skill looks like a legitimate Qiniu Kodo qshell-based file transfer helper, but it has two practical concerns you should address before installing: 1) Metadata mismatch: SKILL.md requires QINIU_ACCESS_KEY and QINIU_SECRET_KEY, but the registry metadata declares no required env vars. Ask the publisher to update metadata to explicitly list these environment variables and their purpose before trusting the skill. 2) Remote binary download: the skill instructs downloading and running qshell tarballs from a qiniu domain. Verify that the URLs are official (confirm on Qiniu's official docs or vendor site), request checksums/signatures, and prefer installing qshell via your vetted package manager or from an audited release. If you must provide credentials, use scoped/minimal-permission keys (bucket-limited), rotate them after testing, and avoid giving long-lived full-account keys. If you cannot verify the qshell binaries or cannot ensure the environment variables are limited in scope, treat this skill as untrusted. Ask the publisher for updated metadata, checksums, and a safer install path (e.g., official package manager or documented vendor release).

功能分析

Type: OpenClaw Skill Name: file-exchange-via-qiniu-kodo Version: 1.0.0 The skill bundle instructs the AI agent to download and execute external binaries (qshell) from a remote URL and access sensitive environment variables (QINIU_ACCESS_KEY, QINIU_SECRET_KEY) for authentication. While these actions are consistent with the stated purpose of providing file exchange via Qiniu Kodo, the requirement to download/run third-party binaries and handle cloud credentials poses a high risk of remote code execution and credential exposure if the source or environment is compromised. File involved: SKILL.md.

能力评估

ℹ Purpose & Capability

Name/description match the SKILL.md: it is explicitly a qshell-based Qiniu Kodo file transfer helper. Requesting Qiniu AK/SK and using qshell is coherent with the stated purpose. However, the registry metadata lists no required environment variables or credentials while the runtime instructions require QINIU_ACCESS_KEY and QINIU_SECRET_KEY — this is an inconsistency.

⚠ Instruction Scope

SKILL.md instructs the agent to download/run qshell, read QINIU_ACCESS_KEY and QINIU_SECRET_KEY from environment variables, create workspace directories, download/upload files with qshell, and insert absolute file paths into the agent context. These actions are within a file-transfer scope, but the instructions access environment variables that are not declared in the skill metadata and require executing a downloaded binary at runtime — both are security-relevant.

⚠ Install Mechanism

No install spec is provided, but the instructions explicitly direct downloading tar.gz binaries from a qiniu domain (kodo-toolbox-new.qiniu.com) with query parameters that the document insists must be preserved. Downloading and running/extracting remote archives at runtime is higher risk: the host is a vendor domain (likely Qiniu) rather than a widely-audited release host like GitHub releases, and the query params raise tracking/validation concerns. The skill does not provide checksums or verification steps.

⚠ Credentials

The SKILL.md requires QINIU_ACCESS_KEY and QINIU_SECRET_KEY (and uses them for qshell account login), which is proportional to a Qiniu upload/download tool. However, the registry metadata claims 'Required env vars: none' — a mismatch. The skill asks for secrets named SECRET/KEY which should be explicitly declared and justified in metadata; lacking that visibility is a red flag.

✓ Persistence & Privilege

The skill is instruction-only, does not set always:true, and does not request system-wide changes or modify other skills. It will create workspace directories and may write files under workspace, which is expected for a file-transfer helper.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install file-exchange-via-qiniu-kodo
安装完成后，直接呼叫该 Skill 的名称或使用 /file-exchange-via-qiniu-kodo 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of file-exchange-via-qiniu-kodo: - Enables file transmission exclusively via Qiniu Cloud `qshell`, including sending attachments in chat. - Provides download links for `qshell` for multiple platforms. - Specifies authentication with AccessKey and SecretKey from environment variables, with account name fixed as `openclaw`. - Details precise procedures for receiving (`file_input://...`) and sending (`file_output://...`) files, including bucket checks, naming conventions with timestamps, and required directory management. - Enforces sending file links as standalone messages with strict formatting and without extra explanations. - Includes minimum constraints to ensure all transfers use `qshell` and directories/bucket/key semantics are consistently applied. - References official Qiniu documentation for further details.

元数据

Slug file-exchange-via-qiniu-kodo

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题