ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Qiniu Upload

Upload local files to Qiniu Cloud and return a publicly accessible URL (or signed private URL). Use when the user wants to upload a local file path to Qiniu,...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 57 · 0 current installs · 0 all-time installs
by@chenggongdu
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description are a direct match for the provided script and SKILL.md. Required env vars (QINIU_ACCESS_KEY, QINIU_SECRET_KEY, QINIU_BUCKET, QINIU_DOMAIN) are exactly what a Qiniu upload implementation needs; no unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md instructs the agent to run the included Node script with a --file-path and optional flags. The script only reads the specified local file, uses only the declared QINIU_* env vars, uploads to Qiniu endpoints, and returns JSON containing key/url/metadata. It does not attempt to read other system files, other credentials, or send data to unexpected third-party endpoints.
Install Mechanism
There is no install spec or external download. The implementation is shipped as an instruction plus a single Node script — nothing is fetched from external, untrusted URLs during install.
Credentials
Only Qiniu-related environment variables are required (plus optional zone and private flags). The number and type of env vars are proportional to the functionality. Note: successful private URLs contain signed tokens derived from the secret key — that is expected for private object access but means those signed URLs should be treated as secrets.
Persistence & Privilege
The skill does not request permanent/always-on presence (always:false) and does not modify other skills or system-wide config. Autonomous invocation is allowed (default) but not combined with any broad privileges.
Assessment
This skill appears coherent and implements exactly what it claims (upload a local file to Qiniu and return a URL). Before installing or running: 1) Only provide QINIU_ACCESS_KEY/QINIU_SECRET_KEY to agents you trust — the secret key can be used to create signed URLs and should be protected. 2) Test with a non-sensitive file first to confirm the runtime environment (Node version) supports global fetch/FormData/Blob APIs (modern Node >=18 is typically required). 3) Be aware that private signed URLs are bearer tokens: treat them as secrets and limit expiry when appropriate. 4) Confirm QINIU_DOMAIN points to the intended CDN/public domain to avoid accidental public sharing. 5) If you need stricter isolation, run the script locally yourself rather than giving credentials to an agent.
scripts/upload.js:24
Environment variable access combined with network send.
!
scripts/upload.js:117
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk97dcteb0yxwj5vpx4qnxt32m183hwqy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

☁️ Clawdis
EnvQINIU_ACCESS_KEY, QINIU_SECRET_KEY, QINIU_BUCKET, QINIU_DOMAIN

SKILL.md

Qiniu Upload

Use this skill when a task needs a local file turned into a Qiniu-hosted URL.

Required environment variables

  • QINIU_ACCESS_KEY
  • QINIU_SECRET_KEY
  • QINIU_BUCKET
  • QINIU_DOMAIN

Optional:

  • QINIU_ZONE - one of z0, z1, z2, na0, as0
  • QINIU_PRIVATE_BUCKET - true to emit signed private URLs by default
  • QINIU_PRIVATE_EXPIRE_SECONDS - default expiry for private URLs

Safety rules

  • Never hardcode Qiniu credentials.
  • Fail fast if any required environment variable is missing.
  • Prefer returning both key and final url.
  • For local files, verify the path exists before upload.

Primary command

Run the Node script:

node scripts/upload.js --file-path "E:\\audio\\sample.mp3" --prefix audio

Optional flags:

  • --private - return a signed private URL
  • --expire-seconds 3600 - private URL expiry
  • --prefix audio - object key prefix
  • --key my/custom/name.mp3 - explicit object key
  • --json - machine-friendly JSON only

Output contract

The script returns JSON like:

{
  "success": true,
  "bucket": "example-bucket",
  "key": "audio/uuid.mp3",
  "url": "https://cdn.example.com/audio/uuid.mp3",
  "isPrivate": false,
  "size": 12345,
  "mimeType": "audio/mpeg",
  "sourcePath": "E:\\audio\\sample.mp3"
}

Domain and access caveat

Some Qiniu domains may sit behind auth or anti-leeching. Upload success does not automatically guarantee anonymous public fetch success. If downstream services need to fetch the object, verify the returned URL is externally accessible, or use private signed URLs / a proper public CDN domain.

Chaining to other skills

After upload succeeds, pass the returned url into downstream skills such as an Aliyun speech transcription workflow.

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…