Cloudflare R2
Upload files to Cloudflare R2 storage using wrangler CLI. Use when needing to upload images, videos, or files to R2 for CDN hosting, or manage R2 bucket contents. Triggers on "upload to R2", "upload to Cloudflare", "上传到R2", "存到CDN".
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 3 · 1.4k · 2 current installs · 2 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, install spec (npm wrangler), and the included script all align with the stated purpose of uploading to Cloudflare R2. However, the runtime relies on jq and a local config (~/.config/cloudflare/r2.json) containing an apiToken/accountId that are not declared in the skill metadata.
Instruction Scope
SKILL.md and scripts/r2-upload.sh explicitly instruct the agent to read ~/.config/cloudflare/r2.json and export CLOUDFLARE_ACCOUNT_ID and CLOUDFLARE_API_TOKEN (sensitive credentials). The skill metadata does not declare those env vars or mention jq, yet the instructions rely on jq to parse the config. Reading a user config file for R2 keys is functionally necessary, but the omission in declared requirements is a scope/visibility problem that could lead to unexpected credential access.
Install Mechanism
Install spec uses npm to install the official-looking 'wrangler' package and creates a wrangler binary — this is expected for a Wrangler-based R2 tool. NPM global installs carry normal supply-chain risks (verify package source/version). No downloads from arbitrary URLs or archive extraction are present.
Credentials
The skill requires a Cloudflare API token and account ID (sensitive) stored in ~/.config/cloudflare/r2.json, but the registry metadata lists no required env vars or primary credential. Additionally, the script depends on jq but jq is not listed as a required binary. This mismatch means the skill will access secrets/configuration that are not clearly declared to the user.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and does not persist itself beyond normal install. Autonomous invocation is allowed by default but is not combined with elevated persistence or cross-skill config access.
What to consider before installing
This skill appears to perform R2 uploads, but it omits some important declarations. Before installing: 1) Confirm you trust the skill source (owner and homepage are unknown). 2) Inspect ~/.config/cloudflare/r2.json — it will be read by the script and must contain your API token; treat that file as sensitive. 3) Ensure jq is installed (the script and SKILL.md use jq) or update the skill metadata to declare jq as a required binary. 4) Verify the npm 'wrangler' package/version you will install is the official Cloudflare Wrangler. 5) Consider running the skill in an isolated environment or with a service account / limited-scope API token (least privilege) rather than your primary Cloudflare token. 6) If you expect the registry metadata to list required env/credentials, ask the maintainer to add CLOUDFLARE_API_TOKEN / CLOUDFLARE_ACCOUNT_ID (or a primaryEnv) and jq to the declared requirements so the credential access is explicit.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binswrangler
Install
Install Wrangler CLI (npm)
Bins: wrangler
npm i -g wranglerSKILL.md
Cloudflare R2
Upload and manage files in Cloudflare R2 storage buckets.
Prerequisites
wranglerCLI:npm install -g wrangler- R2 config at
~/.config/cloudflare/r2.json
Config Format
{
"bucket": "your-bucket-name",
"accountId": "your-account-id",
"publicDomain": "pub-xxx.r2.dev",
"apiToken": "your-api-token"
}
Quick Upload
Single file:
scripts/r2-upload.sh <local-file> [remote-path]
Batch upload:
scripts/r2-upload.sh <directory> <remote-prefix>
Manual Commands
# Set credentials
export CLOUDFLARE_ACCOUNT_ID="$(jq -r .accountId ~/.config/cloudflare/r2.json)"
export CLOUDFLARE_API_TOKEN="$(jq -r .apiToken ~/.config/cloudflare/r2.json)"
BUCKET=$(jq -r .bucket ~/.config/cloudflare/r2.json)
# Upload
wrangler r2 object put "$BUCKET/path/to/file.png" --file local.png --remote
# List objects
wrangler r2 object list $BUCKET --prefix "path/" --remote
# Delete
wrangler r2 object delete "$BUCKET/path/to/file.png" --remote
Public URL
After upload, files are accessible at:
https://<publicDomain>/<remote-path>
Example: https://pub-xxx.r2.dev/article/image.png
Files
2 totalSelect a file
Select a file to preview.
Comments
Loading comments…