ClawHub

qiniu-kodo

v1.0.3

七牛云 KODO 对象存储技能。支持文件上传、下载、列出、删除、获取 URL 等操作。 三层架构:MCP 工具(优先)→ Node.js SDK → qshell CLI。

0· 373·2 current·2 all-time
bysilas@aohoyo·duplicate of @aohoyo/qiniu-kodo-skill
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match included Node.js code and an installer for Qiniu KODO. However SKILL.md metadata and required binaries list python3/pip3 and a python package (qiniu-mcp-server) while the packaged code is primarily Node.js (qiniu_node.mjs) and package.json only depends on the qiniu npm package. The docs reference a scripts/qiniu_python module that is not present. This mismatch is unexplained but could be sloppy packaging or incomplete files.
Instruction Scope
Runtime instructions tell the agent to run scripts/setup.sh and node scripts/qiniu_node.mjs (expected). The setup script creates a config file with access/secret keys, updates the user's shell rc to export QINIU_* vars, configures mcporter, and may install qshell and global npm packages. The instructions do not direct data externally beyond contacting known Qiniu endpoints and official devtools.qiniu.com for qshell; they do persist credentials to disk/profile which is within installer scope but should be noted.
Install Mechanism
Installation uses npm (qiniu) and the setup script performs npm -g installs and downloads qshell from https://devtools.qiniu.com — all are expected for this skill and from plausible sources. The script may invoke sudo when moving qshell into /usr/local/bin and writes files under ~/.mcporter and ~/.local; these global installs increase impact if malicious but are coherent for a CLI installer.
!
Credentials
The skill requires (and asks the user to provide) Qiniu accessKey/secretKey but does not declare required environment variables or a primaryEnv in the registry metadata. The setup script writes credentials to config/qiniu-config.json (chmod 600) and appends exports to the user's shell rc — persistent storage of secrets without explicit declaration is a proportionality/information gap. It also configures mcporter and qshell with those credentials.
Persistence & Privilege
The skill does not request always:true. The installer will persist configuration and environment exports to the user's home (config/qiniu-config.json, ~/.mcporter/mcporter.json, and .bashrc/.zshrc) and may move a binary into /usr/local/bin (sudo). These are expected for an installer but grant lasting presence and require reviewing before execution.
What to consider before installing
This skill appears to be a normal Qiniu KODO client, but there are a few red flags to review before installing: - The package declares Python/binaries (python3, pip3) and a python MCP package in metadata, but the distributed code is Node.js only and a referenced scripts/qiniu_python file is missing — ask the author or check for a missing Python implementation. - The installer (scripts/setup.sh) will create config/qiniu-config.json containing your AccessKey/SecretKey, append exports to your shell rc (~/.bashrc or ~/.zshrc), configure ~/.mcporter, and may perform global npm installs and move qshell into /usr/local/bin (uses sudo). Inspect the script fully and do not run it as root without review. - Because credentials are persisted on disk and in shell profile, prefer using least-privileged or ephemeral keys, or manually create the config file instead of running the automated installer. - If you want to proceed: run the setup script in a controlled environment (container or VM), avoid global installs by editing the script or running with --check-only first, and verify network downloads (qshell) point to official domains. Ask the maintainer to fix metadata (declare required env vars and either include or remove Python references) before trusting this skill in production.

Like a lobster shell, security has layers — review code before you run it.

cloudvk97d746rbtc40qk8er8dm8spbh82dag9kodovk97d746rbtc40qk8er8dm8spbh82dag9latestvk97d746rbtc40qk8er8dm8spbh82dag9ossvk97d746rbtc40qk8er8dm8spbh82dag9qiniuvk97d746rbtc40qk8er8dm8spbh82dag9storagevk97d746rbtc40qk8er8dm8spbh82dag9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

☁️ Clawdis
Binsnode, python3, pip3

Install

Install qiniu Node.js SDKnpm i -g qiniu

Comments