← 返回 Skills 市场
365
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install us3
功能描述
Upload files to UCloud US3 object storage and generate public URLs
安全使用建议
This skill's code matches its purpose (upload local files to UCloud US3) but contains several red flags you should consider before installing:
- Runtime/dependency gaps: Examples call `node` and the code requires npm packages (ufile, mime) but the skill declares no required binaries and has no install step. Ensure Node and the listed npm deps are installed in the agent environment before use.
- Unused/extra env var: SKILL.md and metadata request US3_ENDPOINT but the script does not use it — verify whether your environment needs that variable or if the skill is out of sync with its docs.
- Sensitive credentials: The skill needs your US3_PRIVATE_KEY and US3_PUBLIC_KEY. These grant upload access to the bucket; only provide keys you trust, consider using least-privilege credentials, and rotate/revoke keys if you stop using the skill.
- Exfiltration risk: The tool will read arbitrary local files you point it at and upload them to a public bucket. Don't run it with paths to secrets or sensitive files unless you intend those files to become publicly accessible.
- Operational suggestions: Confirm the bucket domain format is correct for your region, run the script in a sandbox or test account first, install dependencies from trusted sources (npm registry), and consider updating the skill to declare Node as a required binary or to include a safe install step.
If you want to proceed, verify/prepare the runtime (Node + npm deps), supply credentials scoped appropriately, and test uploads with non-sensitive files first.
功能分析
Type: OpenClaw Skill
Name: us3
Version: 1.0.0
The OpenClaw AgentSkills skill bundle for UCloud US3 storage appears benign. The `SKILL.md` clearly outlines its purpose to upload files and generate public URLs, requiring UCloud API keys via environment variables, which is standard practice. The `upload.mjs` script correctly parses command-line arguments using `node:util.parseArgs`, preventing direct shell injection into the Node.js script. While the `--key` parameter example in `SKILL.md` shows shell command substitution (`$(date ...)`) for dynamic naming, this is executed by the invoking shell (the AI agent) before the argument reaches the Node.js script, which then treats the result as a literal string for the object key. The script uses standard Node.js modules and the legitimate `ufile` SDK for UCloud interaction. There is no evidence of data exfiltration to unauthorized endpoints, persistence mechanisms, obfuscation, or other malicious behaviors. The ability to read local files is inherent to an upload skill, and there's no indication of intent to access sensitive files beyond what's explicitly provided as input.
能力评估
Purpose & Capability
Name/description match the code: upload local files to UCloud US3 and produce public URLs. The code requires US3_PUBLIC_KEY, US3_PRIVATE_KEY, and US3_BUCKET which are appropriate. However, the registered metadata and SKILL.md also list US3_ENDPOINT although the runtime code does not use it, and the registry claims no required binaries despite examples invoking `node` — a missing runtime declaration is inconsistent with the stated purpose.
Instruction Scope
SKILL.md instructs running the bundled node script on arbitrary local files (including /tmp and other paths). That is consistent with an upload tool, but it means the skill can read and transmit any local file the agent is told to upload (exfiltration risk if misused). The instructions reference US3_ENDPOINT and absolute skill paths (/root/clawdbot/skills/us3/upload.mjs), which may not match every runtime environment. The runtime script itself does not access files or variables beyond what it should for uploads.
Install Mechanism
This is marked as instruction-only with no install spec, but the package.json/package-lock and upload.mjs require Node and npm packages (ufile, mime, etc.). The registry declares no required binaries. There is therefore no declared mechanism to ensure dependencies exist (or to install them), which is an operational/coherence problem and increases the chance the skill will fail or be run in an unexpected environment.
Credentials
The skill requests US3_PUBLIC_KEY (primary), US3_PRIVATE_KEY, US3_BUCKET and US3_ENDPOINT. The code uses the first three but does not read US3_ENDPOINT, so that variable is unnecessary according to the provided source — a mismatch. The private key is required for signing uploads which is expected, but users should recognize this gives full upload access to the configured public bucket (and could be used to exfiltrate files if misused).
Persistence & Privilege
No elevated persistence requested (always: false). The skill does not attempt to modify other skills or system-wide settings. Autonomous invocation is allowed (default) but not combined with other high-risk flags.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install us3 - 安装完成后,直接呼叫该 Skill 的名称或使用
/us3触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of US3 skill for uploading and sharing files via UCloud US3 object storage.
- Upload local files to UCloud US3 and receive public URLs.
- Supports custom object keys and optional URL-only output.
- Accepts popular file types including images, videos, documents, audio, and archives.
- Returns JSON upload results or direct URLs for easy integration.
- Designed for common workflows like Feishu image uploads and batch file processes.
- Includes comprehensive usage instructions and error handling guidance.
元数据
常见问题
us3-skill 是什么?
Upload files to UCloud US3 object storage and generate public URLs. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 365 次。
如何安装 us3-skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install us3」即可一键安装,无需额外配置。
us3-skill 是免费的吗?
是的,us3-skill 完全免费(开源免费),可自由下载、安装和使用。
us3-skill 支持哪些平台?
us3-skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 us3-skill?
由 qianjunye(@qianjunye)开发并维护,当前版本 v1.0.0。
推荐 Skills