← 返回 Skills 市场
Resilient File Delivery
作者
Shepherd217
· GitHub ↗
· v1.0.0
870
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install resilient-file-delivery
功能描述
Deliver files via multi-channel fallback (Telegram, Discord, Google Drive, S3, IPFS) with automatic retries, chunking, integrity checks, and delivery tracking.
安全使用建议
This skill raises multiple red flags. Before installing or using it: (1) Do not run the suggested npm/pip install on a production host — the bundle provides no code and would force you to fetch external packages. (2) Ask the publisher for the actual source code or verify the GitHub repo and confirm the package contents match the docs (look for index.js and implementation). (3) Be wary of the phrase 'bypass sandbox restrictions' — that indicates evasive behavior and possible misuse for exfiltration. (4) If you need this capability, run any tests in an isolated environment, and only provide API keys/tokens with least privilege and temporary credentials. (5) Require the author to list precisely which credentials are needed and how they are used; if they cannot justify them, do not install.
功能分析
Type: OpenClaw Skill
Name: resilient-file-delivery
Version: 1.0.0
This skill is classified as suspicious due to its powerful capabilities that, while potentially legitimate, present a significant risk for data exfiltration and unauthorized file transfer if misused. The skill explicitly allows reading arbitrary local files (e.g., `file: '/path/to/file.zip'`) and sending them via multiple external channels (Telegram, Discord, Google Drive, S3, IPFS), as detailed in `SKILL.md` and `README.md`. The repeated claim of 'Bypass sandbox restrictions' further highlights its potential to circumvent security controls. While there's no direct evidence of malicious intent by the developer, the combination of arbitrary file access and multi-channel exfiltration capability makes it a high-risk tool that could be exploited for sensitive data theft if an attacker can control the input to the skill.
能力评估
Purpose & Capability
SKILL.md and README describe multi-channel delivery (Telegram, Discord, Google Drive, S3, IPFS) which legitimately requires service credentials and client libraries. However, the skill package contains no implementation files (no index.js or other code), yet package.json advertises a main entry and the docs instruct npm/pip installs. The skill bundle does not declare or request the credentials it clearly needs. The explicit claim to 'Bypass sandbox restrictions' is particularly concerning and not justified by a normal file-delivery use case.
Instruction Scope
The SKILL.md acts like library docs but also instructs agent operators to install external packages and shows code that would read local filesystem paths (file: '/path/to/file.zip') and send them to external platforms. Those instructions enable reading and transmitting local files to third parties. The guidance to 'bypass sandbox restrictions and email blocks' suggests evasion behavior beyond legitimate delivery and could be abused for data exfiltration.
Install Mechanism
There is no install spec in the skill bundle (instruction-only), which is lower risk by itself, but SKILL.md explicitly tells users to run 'npm install resilient-file-delivery' or 'pip install resilient-file-delivery' — i.e., to fetch and execute external packages. The bundle itself lacks the implementation files referenced in package.json, so the only way to obtain functionality would be to fetch code from external registries/repos at runtime. That external fetch increases risk because arbitrary third-party code would be installed and run.
Credentials
The skill declares no required environment variables or credentials, yet its features and README configuration clearly need tokens/credentials (Telegram BOT_TOKEN, Discord WEBHOOK_URL, Google Drive creds.json, S3 keys, IPFS gateway). This mismatch means the skill as packaged does not declare the sensitive access it requires — a red flag for potential credential misuse or unclear requirements. The README also suggests storing credentials in files (creds.json) which could encourage insecure handling.
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable; model invocation is allowed (default). Autonomous invocation is normal for skills, but given the other red flags (undeclared credentials, evasion language, external installs), allowlisted/autonomous execution would increase risk — verify carefully before enabling autonomous runs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install resilient-file-delivery - 安装完成后,直接呼叫该 Skill 的名称或使用
/resilient-file-delivery触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Multi-channel file delivery with automatic fallback (Telegram, Discord, S3, IPFS, email)
元数据
常见问题
Resilient File Delivery 是什么?
Deliver files via multi-channel fallback (Telegram, Discord, Google Drive, S3, IPFS) with automatic retries, chunking, integrity checks, and delivery tracking. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 870 次。
如何安装 Resilient File Delivery?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install resilient-file-delivery」即可一键安装,无需额外配置。
Resilient File Delivery 是免费的吗?
是的,Resilient File Delivery 完全免费(开源免费),可自由下载、安装和使用。
Resilient File Delivery 支持哪些平台?
Resilient File Delivery 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Resilient File Delivery?
由 Shepherd217(@shepherd217)开发并维护,当前版本 v1.0.0。
推荐 Skills