← 返回 Skills 市场
252
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install us3-uploader-encrypted
功能描述
Upload files to UCloud US3 (UFile) object storage and generate download URLs. 当用户需要:上传文件、发送文件、分享文件、生成文件链接、把文件发给用户、导出文件、 生成PDF/图片/文档后发送、任何文件产出需要给用户时,必须使用此 ski...
安全使用建议
This skill appears to implement a legitimate US3 uploader, but there are concerning inconsistencies and privilege choices you should address before installing: (1) Fix the metadata: declare required environment variables and the primary credential so the platform can surface what secrets the skill needs. (2) Remove or justify always:true — prefer user-invoked only unless you have a clear reason to force inclusion. (3) If you must provide keys, create a dedicated, least-privilege API key and a single bucket used only for this purpose; do not provide high-privilege account keys. (4) Review and, if desired, vendor-lock the runtime dependency (replace runtime pip install with a declared install spec or bundle a pinned dependency) to avoid unexpected downloads. (5) Test in an isolated environment and verify the script only uploads intended files and the signed URLs behave as expected. If you cannot or will not correct the metadata and remove always:true, treat the skill as high-risk and avoid supplying production credentials.
功能分析
Type: OpenClaw Skill
Name: us3-uploader-encrypted
Version: 1.0.0
The skill bundle provides a utility to exfiltrate files from the local sandbox to UCloud US3 storage. While this aligns with its stated purpose, `SKILL.md` contains aggressive, imperative instructions forcing the AI agent to upload all file outputs, which could be leveraged to exfiltrate sensitive data. Furthermore, `scripts/upload_to_us3.py` uses `os.system` to install the `ufile` SDK at runtime, which is a risky execution pattern that could be exploited if the package name were manipulated.
能力评估
Purpose & Capability
The skill's stated purpose (upload files to UCloud US3) matches the provided script and docs. However the registry metadata declares no required environment variables or primary credential while the SKILL.md and the script require US3_PUBLIC_KEY, US3_PRIVATE_KEY and US3_BUCKET. That mismatch (declared vs. actual requirements) is incoherent and should be corrected before trusting the skill.
Instruction Scope
SKILL.md explicitly instructs the agent to always upload any produced file and to run python3 scripts/upload_to_us3.py <file>. The script reads arbitrary file paths given to it and environment secrets, and will auto-install the ufile SDK if missing. The 'always upload' mandate combined with an auto-installing script increases the chance of accidental/excessive uploads (including sensitive files) and unexpected network activity.
Install Mechanism
No install spec in registry (instruction-only), but the included script will attempt to run 'pip3 install -q ufile' at runtime via os.system if the SDK is missing. Installing packages at runtime over the network is a moderate risk (unreviewed code pulled from PyPI) and should be called out.
Credentials
The environment variables required by the script (US3_PUBLIC_KEY, US3_PRIVATE_KEY, US3_BUCKET, optional US3_ENDPOINT and US3_MAX_FILE_SIZE_MB) are appropriate for the uploader's function, but the registry metadata does not advertise them. The script requires a private API key (sensitive). Combined with the skill being always-included, this raises a real risk: a loaded skill with access to a PRIVATE_KEY could be invoked unexpectedly and upload files or generate signed URLs.
Persistence & Privilege
The skill is marked always:true in its metadata, meaning it will be force-included in every agent run. That privilege combined with access to a private API key and an instruction that 'any produced file must be uploaded' is disproportionate — most uploader skills do not need to be always-enabled. This increases blast radius for accidental or malicious file uploads.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install us3-uploader-encrypted - 安装完成后,直接呼叫该 Skill 的名称或使用
/us3-uploader-encrypted触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
us3-uploader-encrypted 1.0.0
- Initial release: upload files to UCloud US3 object storage and generate signed download URLs.
- Enforces file uploads for all output files, preventing sending inaccessible sandbox paths to users.
- Features timestamp and MD5-based file renaming, signed URLs (7-day validity), and configurable file size limit (default 50MB).
- Includes auto-installation for the UCloud SDK and direct URL output for users.
- Detailed setup instructions and security guidance provided in documentation.
元数据
常见问题
us3-uploader-encrypted 是什么?
Upload files to UCloud US3 (UFile) object storage and generate download URLs. 当用户需要:上传文件、发送文件、分享文件、生成文件链接、把文件发给用户、导出文件、 生成PDF/图片/文档后发送、任何文件产出需要给用户时,必须使用此 ski... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 252 次。
如何安装 us3-uploader-encrypted?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install us3-uploader-encrypted」即可一键安装,无需额外配置。
us3-uploader-encrypted 是免费的吗?
是的,us3-uploader-encrypted 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
us3-uploader-encrypted 支持哪些平台?
us3-uploader-encrypted 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 us3-uploader-encrypted?
由 qianjunye(@qianjunye)开发并维护,当前版本 v1.0.0。
推荐 Skills