← 返回 Skills 市场
mrnsmh

R2 Storage

作者 Marouane · GitHub ↗ · v0.1.0
cross-platform ⚠ suspicious
514
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install openclaw-skill-r2-storage
功能描述
Manage Cloudflare R2 object storage (upload, download, list, delete, presigned URLs) using boto3 S3-compatible API. Supports CLI usage and importable Python...
安全使用建议
This skill appears to implement legitimate R2 functionality, but the embedded DEFAULT_ENDPOINT and hard-coded DEFAULT_ACCESS_KEY/DEFAULT_SECRET_KEY are a serious red flag. Before installing or using it: 1) Do NOT use it with any sensitive data until you confirm the credentials are safe. 2) Ask the publisher for provenance and why default keys are included; prefer a version that requires the user to supply credentials via environment variables only. 3) Treat the hard-coded keys as compromised: if you or your organization own the referenced R2 account, rotate those keys immediately. 4) If you still want the functionality, audit or rewrite the script to remove defaults and require explicit user-provided creds (or use documented secure auth), and confirm no network endpoints other than your intended R2 endpoint will receive data.
功能分析
Type: OpenClaw Skill Name: openclaw-skill-r2-storage Version: 0.1.0 The skill is classified as suspicious due to the presence of hardcoded Cloudflare R2 access keys, secret keys, and endpoint URL within `scripts/r2.py`. While the skill's stated purpose is benign R2 storage management, the inclusion of these plain-text credentials (DEFAULT_ACCESS_KEY, DEFAULT_SECRET_KEY, DEFAULT_ENDPOINT) represents a severe credential exposure vulnerability. The `SKILL.md` further states these defaults are 'pre-configured for Marouane's account,' indicating they might be active credentials, which could lead to unauthorized access to the associated R2 storage bucket by anyone with access to this skill bundle. This is a critical security flaw, even if not explicitly designed for malicious exfiltration from the user's system.
能力评估
Purpose & Capability
Name/description, SKILL.md, and the included scripts/r2.py are consistent: the skill implements S3-compatible R2 operations using boto3. However, the registry metadata declares no required environment variables while SKILL.md documents R2_* env vars and the code uses them (with defaults). The omission of required env vars from metadata is an inconsistency.
Instruction Scope
Instructions are narrowly scoped to R2 operations and CLI import usage, which matches the code. But SKILL.md states "defaults are pre-configured for Marouane's account" and the script includes DEFAULT_* credentials and a default endpoint — the instructions effectively permit and encourage use of embedded account credentials rather than only user-provided ones, which is unexpected and risky.
Install Mechanism
No install spec is provided (instruction-only skill plus a Python script). No downloads or archive extraction; risk from install mechanism is low.
Credentials
The Python script contains hard-coded DEFAULT_ACCESS_KEY, DEFAULT_SECRET_KEY, and DEFAULT_ENDPOINT values that grant access to an external R2 account if valid. The skill metadata does not require any credentials, yet SKILL.md documents environment variables for credentials — this is disproportionate and suspicious because the code will operate with embedded secrets if env vars are not set. Hard-coded credentials in a published skill can enable covert data exfiltration to the actor-controlled R2 account.
Persistence & Privilege
The skill does not request always:true, doesn't modify other skills or global agent configs, and does not claim persistent system privileges. Autonomous invocation is enabled by default (normal).
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install openclaw-skill-r2-storage
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /openclaw-skill-r2-storage 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release of the r2-storage skill for Cloudflare R2 management: - Upload, download, list, and delete objects in R2 buckets via S3-compatible API. - Generate pre-signed URLs for temporary, shareable object access. - Usable both as a Python module and a command-line tool. - Simple credential management through environment variables. - Relies on boto3 and supports all standard usage patterns.
元数据
Slug openclaw-skill-r2-storage
版本 0.1.0
许可证
累计安装 1
当前安装数 1
历史版本数 1
常见问题

R2 Storage 是什么?

Manage Cloudflare R2 object storage (upload, download, list, delete, presigned URLs) using boto3 S3-compatible API. Supports CLI usage and importable Python... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 514 次。

如何安装 R2 Storage?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-skill-r2-storage」即可一键安装,无需额外配置。

R2 Storage 是免费的吗?

是的,R2 Storage 完全免费(开源免费),可自由下载、安装和使用。

R2 Storage 支持哪些平台?

R2 Storage 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 R2 Storage?

由 Marouane(@mrnsmh)开发并维护,当前版本 v0.1.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论