← 返回 Skills 市场
LMFiles
作者
S. Rob Beck
· GitHub ↗
· v1.0.2
618
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install lmfiles
功能描述
Upload files to lmfiles.com and return public download links via API. Use when a user wants CLI-based file hosting, quick share links, bot-accessible file up...
使用说明 (SKILL.md)
lmfiles
Use lmfiles.com as a lightweight file host for OpenClaw/LLM workflows.
Provenance & trust
- Service docs: https://lmfiles.com/docs
- OpenAPI schema: https://lmfiles.com/openapi.json
- API host: https://lmfiles.com
Primary credential:
LMFILES_API_KEY(required for authenticated operations)
Bootstrap credential:
LMFILES_BOOTSTRAP_TOKEN(used only for first-time account registration)
Security notes:
- Treat credentials as secrets and avoid logging/pasting them.
- Rotate bootstrap token if exposed.
401 Unauthorizedusually means missing/invalidLMFILES_API_KEY.
Before first use (required)
- Register an account once with a bootstrap token.
- Save returned
api_keyasLMFILES_API_KEY. - Use
LMFILES_API_KEYfor all authenticated operations.
Quick setup:
export LMFILES_BOOTSTRAP_TOKEN="\x3Cbootstrap-token>"
curl -sS -X POST https://lmfiles.com/api/v1/accounts/register \
-H "Content-Type: application/json" \
-d '{"username":"my-bot","bootstrap_token":"'"$LMFILES_BOOTSTRAP_TOKEN"'"}'
# Copy api_key from response, then:
export LMFILES_API_KEY="lmf_..."
Common auth error:
401 Unauthorized= missing/invalidLMFILES_API_KEY.
Required env vars
LMFILES_API_KEYfor authenticated file operations (primary credential).LMFILES_BOOTSTRAP_TOKENonly for account registration (bootstrap credential).
Register account (one-time)
curl -sS -X POST https://lmfiles.com/api/v1/accounts/register \
-H "Content-Type: application/json" \
-d '{"username":"my-bot","bootstrap_token":"'"$LMFILES_BOOTSTRAP_TOKEN"'"}'
Or use helper script:
bash scripts/register.sh my-bot
Save returned api_key as LMFILES_API_KEY.
Upload file (max 100 MB)
curl -sS -X POST https://lmfiles.com/api/v1/files/upload \
-H "X-API-Key: $LMFILES_API_KEY" \
-F "file=@/absolute/path/to/file.ext"
Expected response includes:
file_idurl(public download link)
Download (public)
curl -L "https://lmfiles.com/f/\x3Cfile_id>" -o downloaded.file
File metadata (public)
curl -sS "https://lmfiles.com/api/v1/files/\x3Cfile_id>"
Account info and usage
curl -sS https://lmfiles.com/api/v1/accounts/me \
-H "X-API-Key: $LMFILES_API_KEY"
List account files
curl -sS https://lmfiles.com/api/v1/accounts/me/files \
-H "X-API-Key: $LMFILES_API_KEY"
Or helper script:
bash scripts/list.sh
Delete file (owner only)
curl -sS -X DELETE https://lmfiles.com/api/v1/files/\x3Cfile_id> \
-H "X-API-Key: $LMFILES_API_KEY"
Or helper script:
bash scripts/delete.sh \x3Cfile_id>
Constraints
- Max upload size: 100 MB.
- Executable file types are rejected (for example
.php,.sh,.py,.exe). - Files expire after 90 days of inactivity; downloads reset the expiry clock.
- Downloads are public for anyone with the URL.
Safety checks before upload
- Confirm file is safe to publish publicly.
- Avoid uploading secrets or credentials.
- If uncertain, ask user before upload.
安全使用建议
This skill appears to do exactly what it says: simple curl-based helpers for lmfiles.com. Before installing or using it: 1) Verify the lmfiles.com domain and its API docs (the SKILL.md references those URLs). 2) Expect to provide LMFILES_API_KEY (and optionally LMFILES_BOOTSTRAP_TOKEN) — the registry metadata omitted those, so add them to any environment/secret store you use. 3) Remember uploads become publicly downloadable by anyone with the link — do not upload secrets or private credentials. 4) Rotate the bootstrap token after first use and store the API key securely. 5) If you need stricter privacy, confirm the service's retention/expiration and access controls. If you want, ask the publisher why the registry metadata doesn't list the required env vars so automated tooling can enforce secrets handling.
功能分析
Type: OpenClaw Skill
Name: lmfiles
Version: 1.0.2
The skill bundle is designed for legitimate file hosting operations with lmfiles.com. However, it contains multiple shell injection vulnerabilities in its helper scripts and example commands. Specifically, `scripts/upload.sh` directly interpolates user-provided file paths into `curl -F 'file=@${FILE}'`, and `scripts/register.sh` interpolates username and bootstrap token into a JSON string within a `curl -d` argument, both without proper sanitization. These flaws could allow an attacker to execute arbitrary commands on the agent's host system if they can control the inputs to these scripts or commands, classifying it as suspicious due to critical vulnerabilities.
能力评估
Purpose & Capability
Name/description (file hosting via lmfiles.com) match the actual behavior: scripts and SKILL.md call lmfiles.com endpoints for register/upload/list/delete. However the registry metadata earlier lists no required env vars/primary credential while SKILL.md and scripts clearly require LMFILES_API_KEY (and an optional LMFILES_BOOTSTRAP_TOKEN). That metadata omission is an incoherence.
Instruction Scope
SKILL.md and the helper scripts only perform the documented actions (account register, upload, list, delete, metadata lookup) against https://lmfiles.com and explicitly warn about not uploading secrets. They do not attempt to read unrelated files or environment variables beyond the API/bootstrap tokens.
Install Mechanism
This is instruction-only with a few small bundled Bash scripts. No installer, external downloads, or archive extraction are present; scripts are simple curl wrappers.
Credentials
The skill legitimately needs LMFILES_API_KEY for authenticated operations and LMFILES_BOOTSTRAP_TOKEN for initial registration. Those are appropriate for the service, but the registry metadata failed to declare them as required environment variables/primary credential — an inconsistency that could mislead users and automated policy checks.
Persistence & Privilege
The skill does not request always:true or elevated platform privileges and does not modify other skills or system-wide settings. It runs only API calls and uses environment vars for credentials.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install lmfiles - 安装完成后,直接呼叫该 Skill 的名称或使用
/lmfiles触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
v1.0.2
- Added provenance and trust guidance (docs + OpenAPI links).
- Declared credential roles clearly: LMFILES_API_KEY (primary) and LMFILES_BOOTSTRAP_TOKEN (bootstrap).
- Added security handling notes for secrets and auth troubleshooting.
- Helper scripts retained: register.sh, upload.sh, list.sh, delete.sh.
元数据
常见问题
LMFiles 是什么?
Upload files to lmfiles.com and return public download links via API. Use when a user wants CLI-based file hosting, quick share links, bot-accessible file up... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 618 次。
如何安装 LMFiles?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install lmfiles」即可一键安装,无需额外配置。
LMFiles 是免费的吗?
是的,LMFiles 完全免费(开源免费),可自由下载、安装和使用。
LMFiles 支持哪些平台?
LMFiles 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 LMFiles?
由 S. Rob Beck(@setdemos)开发并维护,当前版本 v1.0.2。
推荐 Skills