← 返回 Skills 市场
Send Me My Files - R2 upload with short lived signed urls
作者
julianengel
· GitHub ↗
· v1.0.4
2904
总下载
2
收藏
1
当前安装
5
版本数
在 OpenClaw 中安装
/install r2-upload
功能描述
Upload files to Cloudflare R2, AWS S3, or any S3-compatible storage and generate secure presigned download links with configurable expiration.
安全使用建议
This skill appears to do what it claims, but be aware of the practical security implications before installing:
- You must provide access keys (Access Key ID + Secret) for buckets; prefer creating bucket-scoped tokens with minimal permissions (Object Read/Write only) and avoid account-wide/admin tokens.
- The onboarding script writes ~/.r2-upload.yml containing your credentials (the script sets file mode 0600). Keep that file private and do not commit it to source control.
- The skill can read any local file path you instruct it to upload. Only upload files you intend to share and avoid giving the agent paths to sensitive system files.
- The code currently documents missing protections (no file-size limit, no file-type allowlist, minimal key sanitization). Consider using short presigned expirations (default 5m), rotate credentials if compromised, and review bucket contents regularly.
- If you need stricter controls, consider adding the recommended security checks (file size limits, key sanitization, allowed extensions) before using in a production environment.
Overall: coherent for its stated use. Use least-privilege tokens and cautious operational practices.
功能分析
Type: OpenClaw Skill
Name: r2-upload
Version: 1.0.4
The skill is classified as suspicious due to its inherent powerful capabilities, specifically the ability to read and upload any local file path specified by the agent (`file_path` argument in `r2_upload` in `src/index.ts`), combined with the explicit acknowledgment in `README.md` and `SECURITY.md` of missing security controls such as file size limits, file type restrictions, and comprehensive path sanitization. While these capabilities are necessary for the skill's stated purpose of uploading files to cloud storage, their lack of internal safeguards presents a higher risk profile, as a compromised or malicious agent could exploit them for data exfiltration or denial of service without the skill itself having malicious intent.
能力评估
Purpose & Capability
The name and description match the implementation: the code uses the AWS SDK to upload objects, list and delete objects, and generate presigned URLs. Required credentials (access key / secret) are collected via the local config and used only for S3/R2 endpoints. No unrelated services, binaries, or credentials are requested.
Instruction Scope
Runtime instructions and the onboarding script explicitly ask for S3/R2 credentials and instruct writing ~/.r2-upload.yml. The skill reads arbitrary local file paths (file_path) to upload — this is required for the stated purpose but means the skill can access any file the agent is instructed to upload. The code and docs also note some missing protections (no file-size enforcement, no key sanitization), which are legitimate limitations rather than incoherent behavior.
Install Mechanism
There is no remote install/download step in the skill package; dependencies are standard npm packages (AWS SDK, js-yaml, mime-types). All dependencies resolve from public registries and the package.json is consistent with the stated functionality.
Credentials
The skill does not declare required environment variables or request unrelated credentials. It uses an on-disk config file (~/.r2-upload.yml) and respects R2_UPLOAD_CONFIG and R2_DEFAULT_BUCKET overrides — these are appropriate. The onboarding flow requests only storage credentials needed to perform uploads/list/delete and tests the connection.
Persistence & Privilege
always is false and the skill does not attempt to modify other skills or system-level agent configuration. It writes a per-user config file to the home directory (mode 0600) which is expected for storing credentials for this functionality.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install r2-upload - 安装完成后,直接呼叫该 Skill 的名称或使用
/r2-upload触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.4
Updated skill name to 'Send Me My Files - R2 upload with short lived signed urls'
v1.0.3
Added frontmatter with summary to SKILL.md for better metadata
v1.0.2
Added summary and improved descriptions for better discoverability
v1.0.1
Added security considerations to README. No code changes.
v1.0.0
Initial release: Upload files to Cloudflare R2 or any S3-compatible storage with presigned URLs. Features: multi-bucket support, configurable expiration, interactive TypeScript onboarding.
元数据
常见问题
Send Me My Files - R2 upload with short lived signed urls 是什么?
Upload files to Cloudflare R2, AWS S3, or any S3-compatible storage and generate secure presigned download links with configurable expiration. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2904 次。
如何安装 Send Me My Files - R2 upload with short lived signed urls?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install r2-upload」即可一键安装,无需额外配置。
Send Me My Files - R2 upload with short lived signed urls 是免费的吗?
是的,Send Me My Files - R2 upload with short lived signed urls 完全免费(开源免费),可自由下载、安装和使用。
Send Me My Files - R2 upload with short lived signed urls 支持哪些平台?
Send Me My Files - R2 upload with short lived signed urls 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Send Me My Files - R2 upload with short lived signed urls?
由 julianengel(@julianengel)开发并维护,当前版本 v1.0.4。
推荐 Skills