aliyun-oss-upload
v1.0.0阿里云 OSS 文件上传工具,支持上传文件到阿里云对象存储并生成临时访问链接。使用场景:将本地文件上传到 OSS 并获得可分享的临时 URL。需要配置 ALIYUN_OSS_ACCESS_KEY_ID、ALIYUN_OSS_ACCESS_KEY_SECRET、ALIYUN_OSS_ENDPOINT、ALIYUN_OSS_BUCKET 环境变量。
⭐ 3· 1.8k·8 current·8 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, SKILL.md, and the included Python script all align: the skill uploads local files to Alibaba Cloud OSS and generates signed (temporary) URLs. However, the registry metadata lists no required environment variables or primary credential even though the runtime requires ALIYUN_OSS_ACCESS_KEY_ID and ALIYUN_OSS_ACCESS_KEY_SECRET — an inconsistency between declared metadata and actual requirements.
Instruction Scope
SKILL.md directs the agent/user to set the OSS-related env vars, install oss2 via pip, and run the provided script. The script itself only reads the documented OSS env vars, checks local file paths, calls the oss2 API, and prints results — no unrelated file reads, system scans, or external endpoints beyond the configured OSS endpoint.
Install Mechanism
There is no install spec; it's instruction + included Python script. Dependency installation is a standard pip install oss2. No downloads from arbitrary URLs or archive extraction are present.
Credentials
The skill legitimately needs ALIYUN_OSS_ACCESS_KEY_ID, ALIYUN_OSS_ACCESS_KEY_SECRET, ALIYUN_OSS_ENDPOINT, and ALIYUN_OSS_BUCKET — these are appropriate for OSS operations. The concern is that the registry metadata did not declare these required env vars/credentials, which is an omission that can hide the fact that secret credentials are necessary and used at runtime.
Persistence & Privilege
The skill does not request persistent/always-on presence and does not modify other skills or system-wide settings. It runs as an invoked script and uses only its own configuration.
What to consider before installing
This skill's code implements a straightforward OSS uploader and signed-URL generator and uses only the documented OSS environment variables. However: 1) the registry metadata omitted the required secret env vars — treat that as an indicator to be cautious before providing credentials; 2) the package source and homepage are missing and the owner is unknown — prefer code from a known/verified source. Before installing or using: (a) review the included scripts (done here — they look straightforward), (b) avoid putting long-lived root/owner credentials in your shell; create a least-privilege AccessKey for this purpose, or use temporary STS credentials if possible, (c) store secrets in a secure vault instead of plaintext env in shared machines, (d) test the script in an isolated environment, and (e) ask the publisher to correct the registry metadata to declare the required env vars and provide provenance (homepage/repo/signature). If you need higher assurance, request a verified source or run the script only with a restricted test bucket.Like a lobster shell, security has layers — review code before you run it.
latestvk972s5sm29vm2nx0yxwnejzanx80d8d5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.