Publish site on Qutke
v1.0.3将文件和文件夹即时发布到网络。支持 HTML 站点、图片、PDF 及任何文件类型的静态托管。 当用户要求"发布这个"、"托管这个"、"部署这个"、"分享到网上"、"做一个网站"、 "放到线上"、"上传到网络"、"创建网页"、"分享链接"、"搭建站点"或"生成 URL"时使用。 输出一个可访问的 URL,格式为 {...
⭐ 0· 138·0 current·0 all-time
byZhong Yu@haio
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, the publish.sh script, and the API reference all describe the same functionality (create/update static site on on.qutke.cn). Optional use of $ONQUTKE_API_KEY and ~/.onqutke/credentials is appropriate for an API-based publishing tool.
Instruction Scope
SKILL.md instructs the agent to perform actions required for publishing: build a manifest, call on.qutke.cn APIs, upload files to presigned URLs, finalize publishes, and optionally perform an email-based agent-assisted API key flow. It also recommends the agent persist an API key in ~/.onqutke/credentials and to avoid exposing .onqutke/state.json to users. These actions are within the expected scope for a publishing client, but they do involve writing credentials and local state to the user's home/work directory — the agent will need explicit user consent before storing secrets.
Install Mechanism
No install spec is provided (instruction-only plus a bash script), which is lower risk. The script will use a bundled jq or an on-path jq; its error message recommends a curl | bash installer URL hosted on on.qutke.cn if jq is missing. That advice is in a message only (the script does not auto-run the installer), but recommending a remote curl | bash is a potential risk and should be treated cautiously.
Credentials
The only credential access is the optional ONQUTKE_API_KEY environment variable and the optional credentials file ~/.onqutke/credentials; both are proportional to a publishing client. The skill does not request unrelated credentials or system secrets.
Persistence & Privilege
The skill writes a local cache/state file (.onqutke/state.json) to the working directory and (if the agent saves an API key) may write ~/.onqutke/credentials. This is expected behavior for a CLI client but is persistent and involves storing secrets — users should be warned and confirm before the agent writes to their home directory.
Assessment
This skill appears to do exactly what it says: publish files to on.qutke.cn. Before installing or invoking it, consider: 1) The skill (and its script) may ask the agent to save an API key to ~/.onqutke/credentials — only allow this if you trust on.qutke.cn and want persistent credentials on the machine. 2) The script recommends installing missing tooling via a remote curl | bash URL on on.qutke.cn; avoid running unknown remote installers without review. 3) Anonymous publishing (no API key) is available and expires in 24 hours — use that if you want to avoid storing credentials. 4) If you permit the agent to run this script, verify you consent to writes to your working directory and home (~/.onqutke). If you want extra caution, run the script manually yourself or inspect its contents before letting the agent execute it.Like a lobster shell, security has layers — review code before you run it.
latestvk9786w70bp64dgxrsjjbnjq7k9834q69
License
MIT-0
Free to use, modify, and redistribute. No attribution required.