stratos-storage

Upload and download files to/from Stratos Decentralized Storage (SDS) network. Use when the user wants to store files on Stratos, retrieve files from Stratos, upload to decentralized storage, or download from SDS.

This skill appears to do what it claims: upload/download via a Stratos SPFS gateway or a local ppd node. Before installing or invoking it: (1) verify STRATOS_SPFS_GATEWAY points to a trusted gateway (avoid unknown remote endpoints), (2) confirm STRATOS_NODE_DIR points to the intended node (be aware the ppd fallback may access wallet/node files), (3) run the shell scripts manually in a controlled environment first to observe behavior, and (4) note skill.json mentions installing curl with apt/brew which requires package-manager privileges. If you plan to expose a remote gateway, ensure you trust that endpoint because file data and metadata will transit it.

Type: OpenClaw Skill Name: stratos-storage Version: 1.0.0 The skill is classified as suspicious due to a critical shell injection vulnerability. The `SKILL.md` examples suggest the AI agent might pass user-provided file paths and hashes to `scripts/upload.sh` and `scripts/download.sh` without proper quoting. This allows an attacker to achieve arbitrary command execution via prompt injection (e.g., providing `$(evil_command)` as a file path). While the scripts themselves attempt to interact with a local Stratos SDS gateway (default `http://localhost:18452`) and the `ppd` CLI for legitimate file operations, the lack of robust input sanitization at the agent-script interface creates a significant remote code execution risk.