ClawHub

Qiniu Upload

PassAudited by ClawScan on May 10, 2026.

Overview

This skill does what it says—uploads a chosen local file to Qiniu—but users should understand that it needs Qiniu credentials and may make the uploaded file reachable by URL.

Before installing, make sure you are comfortable giving the skill Qiniu upload credentials and uploading selected local files to the configured bucket. Prefer least-privilege keys, confirm whether returned URLs are public or signed private links, and avoid passing the output JSON or URL to other services unless the file is meant to be accessible there.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI02: Tool Misuse and Exploitation
What this means

A local file chosen for upload will leave the machine and be stored in the configured Qiniu bucket; the returned URL may allow others or downstream services to access it.

Why it was flagged

The script reads the selected local file and uploads it to a Qiniu endpoint. This matches the stated purpose, but it is still an external file transfer the user should intend.

Skill content
const fileBuffer = fs.readFileSync(filePath); ... form.append('file', new Blob([fileBuffer], { type: mimeType }), fileName); ... const response = await fetch(endpoint, { method: 'POST', body: form });
Recommendation

Upload only files you intend to share or process externally, and verify whether the bucket/domain is public or private before passing the URL to other services.

Low
#ASI03: Identity and Privilege Abuse
What this means

Anyone running the skill with these environment variables lets it create upload tokens and add objects to the configured Qiniu bucket.

Why it was flagged

The script requires Qiniu access and secret keys to sign upload requests and private URLs. This is expected for the integration, but it gives the skill authority over the configured Qiniu bucket.

Skill content
const accessKey = requireEnv('QINIU_ACCESS_KEY');
  const secretKey = requireEnv('QINIU_SECRET_KEY');
Recommendation

Use Qiniu credentials scoped to the intended bucket and task where possible, avoid broad administrative keys, and rotate keys if they may have been exposed.