ClawHub

MinIO S3 (Object Storage)

v1.0.0

Deploy, secure, and operate MinIO object storage using mc workflows, policy controls, replication, and incident-safe runbooks.

0· 353·1 current·1 all-time
byIván@ivangdavila
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description (MinIO deployment/operations) match what the skill requests and instructs: it requires mc/curl/openssl, documents mc workflows, and operates against user-managed MinIO endpoints. Declared config path ~/minio/ aligns with the stated memory and runbook files.
Instruction Scope
Instructions are scoped to operational tasks (read-before-write, explicit confirmations for destructive changes, verification, and local notes in ~/minio/). The skill tells the agent to persist operational context locally and to run mc against user-managed endpoints. This is expected, but the agent could accidentally capture secrets if users ignore the explicit 'never store secrets' guidance—there is no enforcement mechanism in an instruction-only skill.
Install Mechanism
No install spec or external code downloads—this is instruction-only and relies on existing binaries (mc, curl, openssl). That minimizes install-time risk.
Credentials
The skill requests no environment variables or credentials and only interacts with user-managed MinIO endpoints (which is appropriate). It documents that it will not store raw credentials, but users should verify they follow that guidance when providing context or running commands.
Persistence & Privilege
always is false and the skill only writes to its own ~/minio/ memory files per the instructions. It does not request modifying other skills or global agent settings.
Assessment
This skill appears coherent for MinIO operational work. Before installing: ensure you trust the MinIO endpoints and credentials you will use, verify mc/curl/openssl are the desired toolchain on your system, and read setup.md to configure explicit approval boundaries. Be careful when saving operational notes—do not paste secrets or raw access keys into ~/minio/ files (the playbook warns against this but cannot enforce it). If you plan to run destructive operations, test the workflows in a non-production environment first and confirm the agent prompts for explicit approval before making changes.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🗂️ Clawdis
OSLinux · macOS · Windows
Binsmc, curl, openssl
latestvk97d1qrbb4jdz5chzmf39xgy8n82ag9e
353downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
Linux, macOS, Windows
Iván@ivangdavila
latest
Download

Setup

On first use, read setup.md to align activation boundaries, environment defaults, and write-approval rules before mutating buckets, policies, or replication.

When to Use

Use this skill when the user needs MinIO deployment, bucket lifecycle operations, access policy work, object retention planning, or incident recovery.

Use this for single-node labs, distributed production clusters, S3-compatible migration tasks, and operational troubleshooting where data durability and access correctness are critical.

Architecture

Memory lives in ~/minio/. See memory-template.md for structure and status values.

~/minio/
|-- memory.md              # Activation preferences and approval model
|-- environments.md        # Endpoint map, topology, and region notes
|-- buckets.md             # Bucket inventory, versioning, lifecycle, lock mode
|-- identities.md          # Users, groups, policies, and credential rotation state
`-- incidents.md           # Outages, corruption events, and validated recovery steps

Quick Reference

Use the smallest file needed for the current task.

TopicFile
Setup and activation behaviorsetup.md
Memory structure and status modelmemory-template.md
Deployment and topology choicesdeployment-patterns.md
Bucket, IAM, and mc execution flowmc-operations.md
Hardening, backup, and disaster recoveryhardening-dr.md

Core Rules

1. Classify Topology Before Any Command

  • Identify single-node, distributed, or tenant-style deployment before writing a plan.
  • Validate endpoint, region, and storage layout so commands target the correct environment.

2. Gate Write Operations with Explicit Confirmation

  • Bucket deletion, lifecycle rewrite, policy replacement, and replication changes need explicit user confirmation.
  • Confirm scope, expected impact, and rollback path before applying mutating actions.

3. Use Read-Then-Write mc Workflows

  • Start with read commands (mc admin info, mc ls, mc policy ls) before write commands.
  • Keep command output snapshots so post-change verification can compare expected versus observed state.

4. Enforce Identity and Policy Least Privilege

  • Default to scoped policies by bucket and prefix rather than broad wildcard access.
  • Rotate access keys and verify policy bindings after every security-sensitive change.

5. Protect Durability Features During Maintenance

  • Check versioning, object lock, retention mode, and replication health before major updates.
  • Never disable durability controls without a documented user-approved exception.

6. Verify by API Behavior, Not Only Command Exit Codes

  • Confirm changes with independent checks: listing, object test writes (if approved), and policy simulation.
  • Treat partial success as failure until data path and auth path both validate.

7. Record Durable Context for Next Sessions

  • Update ~/minio/ notes with environment constraints, safe defaults, and incident learnings.
  • Keep only reusable operational context, never secrets or raw credentials.

Common Traps

  • Treating MinIO like generic S3 without checking deployment mode -> commands succeed but behavior differs in distributed setups.
  • Replacing policies without reading effective bindings -> accidental privilege expansion or lockout.
  • Enabling replication before validating versioning and time sync -> replication drift and conflict noise.
  • Running lifecycle expiration on active prefixes without dry checks -> unexpected object loss.
  • Skipping pre-change snapshots -> no reliable rollback path during outage response.
  • Assuming TLS is valid because endpoint is reachable -> clients fail later due to trust-chain mismatch.

External Endpoints

EndpointData SentPurpose
https://<minio-endpoint>S3 API object and metadata requestsBucket and object operations against user-managed MinIO
https://<minio-endpoint>/minio/adminAdmin API requests for cluster and identity operationsHealth, IAM, and operational control
https://min.io/docsDocumentation lookups onlyReference for command behavior and configuration details

No other data is sent externally.

Security & Privacy

Data that leaves your machine:

  • Requests to user-managed MinIO endpoints for object, bucket, and IAM operations.
  • Optional documentation fetches from official MinIO docs.

Data that stays local:

  • Operational context stored in ~/minio/.
  • Command planning notes, incident logs, and approved runbooks.

This skill does NOT:

  • Execute undeclared endpoints.
  • Store raw credentials in memory files.
  • Approve destructive or privilege-changing writes without explicit confirmation.
  • Modify SKILL.md or auxiliary files automatically.

Trust

This skill can send data to MinIO endpoints and optional documentation endpoints when executing approved operations. Only install if you trust the configured MinIO infrastructure and its credential handling model.

Related Skills

Install with clawhub install <slug> if user confirms:

  • s3 - S3-compatible object storage workflows across providers
  • cloud-storage - Storage architecture patterns for mixed cloud and local environments
  • backups - Backup verification and restore-first operating practices
  • infrastructure - Infrastructure planning and production operations baselines
  • docker - Containerized deployment and service lifecycle operations

Feedback

  • If useful: clawhub star minio
  • Stay updated: clawhub sync

Comments

Loading comments...