aliyun-oss
v1.0.2阿里云 OSS 对象存储技能。支持文件上传、下载、列出、删除、获取 URL 等操作。 两层架构:Node.js SDK(优先)→ ossutil CLI。
⭐ 0· 401·3 current·3 all-time
bysilas@aohoyo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, and code align: the skill uses the ali-oss Node.js SDK to upload/download/list/delete/generate URLs for OSS. Declared runtime (node + ali-oss) matches implementation. Minor mismatch: top-level registry metadata lists no required config paths but the runtime scripts expect config/oss-config.json (the code will throw if it does not exist). _meta.json documents the config location but the skill summary/registry entry omitted it.
Instruction Scope
SKILL.md instructs running scripts/setup.sh and node scripts/oss_node.mjs. setup.sh will create/modify config/oss-config.json, set file permissions, and append ALIYUN_* environment variables to the user's shell rc (~/.bashrc or ~/.zshrc). Those persistent changes to the user's shell profile and credential storage are outside a minimal scope for a 'library wrapper' and should be reviewed. Other runtime behavior (reading local files to upload, listing local directories in examples) is consistent with purpose.
Install Mechanism
Install uses the ali-oss npm package (package.json and the install script call npm install). No downloads from untrusted URLs, no extract of arbitrary archives, and no obscure third‑party installers. This is a standard npm dependency installation.
Credentials
The skill legitimately needs OSS credentials (accessKeyId/accessKeySecret) to operate; it stores them in config/oss-config.json and setup.sh optionally exports them into shell environment variables. However the registry metadata listed no required env vars or config paths while the runtime requires the config file — a minor inconsistency. The skill does not request unrelated third-party credentials.
Persistence & Privilege
The installer modifies the user's shell rc file to export ALIYUN_ACCESS_KEY_ID, ALIYUN_ACCESS_KEY_SECRET, ALIYUN_BUCKET, and ALIYUN_REGION. This is a persistent change to the user's environment and increases blast radius if credentials are compromised. always:false (normal) and the skill does not alter other skills, but the shell modification is a notable privilege.
What to consider before installing
This skill appears to implement Alibaba Cloud OSS access and is coherent with that purpose, but take the following precautions before installing:
- Inspect scripts/setup.sh yourself. It will create config/oss-config.json with your AccessKey/Secret and append ALIYUN_* exports to ~/.bashrc or ~/.zshrc. If you prefer, create the config file manually instead of using the installer.
- Use least-privilege IAM credentials (a key with only the required OSS permissions) and consider short‑lived or scoped credentials rather than a full-access long‑lived key.
- Confirm you are comfortable with npm installing the ali-oss package into the skill directory; run npm install in an isolated environment if needed.
- After installing, verify config/oss-config.json permissions (script sets chmod 600) and consider removing exported environment variables from your shell rc if you do not want them persisted.
- If you want to reduce persistence, skip the shell configuration step and only keep creds in a tightly permissioned config file.
Given the shell/profile modification and the metadata mismatch about the config file, review the setup script and config handling before proceeding.Like a lobster shell, security has layers — review code before you run it.
aliyunvk970zwc92xs9smkh5znwanx4yx82c834cloudvk970zwc92xs9smkh5znwanx4yx82c834latestvk970zwc92xs9smkh5znwanx4yx82c834ossvk970zwc92xs9smkh5znwanx4yx82c834storagevk970zwc92xs9smkh5znwanx4yx82c834
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
☁️ Clawdis
Binsnode
Install
Install ali-oss Node.js SDK
npm i -g ali-oss