← 返回 Skills 市场
144
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install share-onetime-link
功能描述
Generate public one-shot or time-limited download links for files using a local Express server exposed via Cloudflare Tunnel. Links are tokenized, expire aut...
安全使用建议
This skill appears to implement a legitimate one-time sharing server, but review and act on the following before installing/running it:
- Treat SHARE_SECRET as mandatory and strong: the server will not run without it (server.js exits if SHARE_SECRET is unset). Do not rely on the registry summary — set a strong secret and SHARE_PUBLIC_URL explicitly.
- Be cautious what files you instruct the skill or an agent to share: share-file.js will copy any path you provide into the shared directory and expose it via a public link. Do not share private keys, credentials, or other sensitive files.
- Verify the public hostname and Cloudflare Tunnel configuration yourself (cloudflared must be present and you must run the tunnel). Ensure the public URL in SHARE_PUBLIC_URL matches your tunnel's hostname.
- The start.sh warning is misleading: it prints a warning when SHARE_SECRET is unset, but server.js will exit if it truly isn't set. Do not assume the server is protected unless you've set and tested SHARE_SECRET.
- Run the server in an isolated environment (or sandbox/workspace) if you want to test, and review logs to confirm files are deleted after download/expiry.
If you want a cleaner metadata posture, ask the publisher to fix the registry env-vars to match SKILL.md and to correct start.sh behavior so it cannot be misinterpreted as safe when SHARE_SECRET is missing.
功能分析
Type: OpenClaw Skill
Name: share-onetime-link
Version: 1.2.0
The skill provides a file-sharing service that exposes a local Express server to the public internet via a Cloudflare Tunnel. While the implementation includes security controls such as mandatory secret-based authentication (SHARE_SECRET), tokenized one-time links, and automatic file deletion in server.js, the inherent capability to create a public tunnel for local file access is a high-risk behavior. The share-file.js script facilitates moving any accessible file into the public-facing directory, which could be leveraged for data exfiltration if the agent is manipulated into sharing sensitive files like SSH keys or configuration data.
能力标签
能力评估
Purpose & Capability
The code (server.js + share-file.js) and required binaries (node, cloudflared) align with the stated purpose of creating tokenized one-time links via an Express server exposed through Cloudflare Tunnel. However the registry summary at the top claims 'Required env vars: none' while SKILL.md and the server require SHARE_SECRET and SHARE_PUBLIC_URL — this metadata mismatch is inconsistent and worth clarifying.
Instruction Scope
Runtime instructions and scripts will copy arbitrary files you point to into the SHARED_DIR and then request the server to generate a public /dl/<token> URL. That behavior is expected for a sharing tool, but it also enables exfiltration of any local file you ask it to share (e.g., system keys). The SKILL.md also suggests conversational agent invocation ('Just ask naturally'), which could cause an agent with file access to add and share sensitive files if allowed. The server enforces a secret for /generate and /status, but start.sh warns about missing SHARE_SECRET in a misleading way (it prints a warn and then runs node server.js — though server.js will exit if SHARE_SECRET is unset).
Install Mechanism
There is no remote install/download step: all code is included with the skill and dependencies are installed via npm locally. No network-based install from arbitrary URLs is present. This is lower risk than an installer that pulls remote archives.
Credentials
The environment variables requested by the SKILL.md (SHARE_PUBLIC_URL, SHARE_SECRET, optional SHARE_PORT and SHARED_DIR) are proportional to the task. But the registry metadata claims no required env vars, which contradicts the SKILL.md and server.js (server.js refuses to start without SHARE_SECRET). This inconsistency could cause a user to run the skill unprotected by accident if they rely on registry metadata. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It creates a local shared/ directory (relative to the skill) and deletes files after download/expiry; it does not modify other skills or system-wide settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install share-onetime-link - 安装完成后,直接呼叫该 Skill 的名称或使用
/share-onetime-link触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.0
Security fix: SHARE_SECRET is now mandatory (server exits if not set); added env_vars to registry metadata; removed unprotected endpoint bypass; aligned install mechanism declaration
v1.1.1
Packaging fix: exclude node_modules and package-lock.json from published bundle to reduce false positive security alerts
v1.1.0
Security fix: /generate and /status endpoints now protected by SHARE_SECRET; declare required env vars in SKILL.md; add warning when secret is not set
v1.0.0
Initial release: public one-shot download links via Cloudflare Tunnel, configurable TTL, auto-cleanup
元数据
常见问题
Share One-Time Link 是什么?
Generate public one-shot or time-limited download links for files using a local Express server exposed via Cloudflare Tunnel. Links are tokenized, expire aut... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 144 次。
如何安装 Share One-Time Link?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install share-onetime-link」即可一键安装,无需额外配置。
Share One-Time Link 是免费的吗?
是的,Share One-Time Link 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Share One-Time Link 支持哪些平台?
Share One-Time Link 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Share One-Time Link?
由 Hitman86R(@hitman86r)开发并维护,当前版本 v1.2.0。
推荐 Skills