ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Send Me My Files - R2 upload with short lived signed urls

Upload files to Cloudflare R2, AWS S3, or any S3-compatible storage and generate secure presigned download links with configurable expiration.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 2.7k · 1 current installs · 1 all-time installs
by@julianengel
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name and description match the implementation: the code uses the AWS SDK to upload objects, list and delete objects, and generate presigned URLs. Required credentials (access key / secret) are collected via the local config and used only for S3/R2 endpoints. No unrelated services, binaries, or credentials are requested.
Instruction Scope
Runtime instructions and the onboarding script explicitly ask for S3/R2 credentials and instruct writing ~/.r2-upload.yml. The skill reads arbitrary local file paths (file_path) to upload — this is required for the stated purpose but means the skill can access any file the agent is instructed to upload. The code and docs also note some missing protections (no file-size enforcement, no key sanitization), which are legitimate limitations rather than incoherent behavior.
Install Mechanism
There is no remote install/download step in the skill package; dependencies are standard npm packages (AWS SDK, js-yaml, mime-types). All dependencies resolve from public registries and the package.json is consistent with the stated functionality.
Credentials
The skill does not declare required environment variables or request unrelated credentials. It uses an on-disk config file (~/.r2-upload.yml) and respects R2_UPLOAD_CONFIG and R2_DEFAULT_BUCKET overrides — these are appropriate. The onboarding flow requests only storage credentials needed to perform uploads/list/delete and tests the connection.
Persistence & Privilege
always is false and the skill does not attempt to modify other skills or system-level agent configuration. It writes a per-user config file to the home directory (mode 0600) which is expected for storing credentials for this functionality.
Assessment
This skill appears to do what it claims, but be aware of the practical security implications before installing: - You must provide access keys (Access Key ID + Secret) for buckets; prefer creating bucket-scoped tokens with minimal permissions (Object Read/Write only) and avoid account-wide/admin tokens. - The onboarding script writes ~/.r2-upload.yml containing your credentials (the script sets file mode 0600). Keep that file private and do not commit it to source control. - The skill can read any local file path you instruct it to upload. Only upload files you intend to share and avoid giving the agent paths to sensitive system files. - The code currently documents missing protections (no file-size limit, no file-type allowlist, minimal key sanitization). Consider using short presigned expirations (default 5m), rotate credentials if compromised, and review bucket contents regularly. - If you need stricter controls, consider adding the recommended security checks (file size limits, key sanitization, allowed extensions) before using in a production environment. Overall: coherent for its stated use. Use least-privilege tokens and cautious operational practices.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.4
Download zip
latestvk9732ws7xgbj3mr8sxsdm0trc17yxhdz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Send Me My Files - R2 Upload with Short Lived Signed URLs

Upload files to Cloudflare R2 or any S3-compatible storage and generate presigned download links.

Features

  • Upload files to R2/S3 buckets
  • Generate presigned download URLs (configurable expiration)
  • Support for any S3-compatible storage (R2, AWS S3, MinIO, etc.)
  • Multiple bucket configurations
  • Automatic content-type detection

Configuration

Create ~/.r2-upload.yml (or set R2_UPLOAD_CONFIG env var):

# Default bucket (used when no bucket specified)
default: my-bucket

# Bucket configurations
buckets:
  my-bucket:
    endpoint: https://abc123.r2.cloudflarestorage.com
    access_key_id: your_access_key
    secret_access_key: your_secret_key
    bucket_name: my-bucket
    public_url: https://files.example.com  # Optional: custom domain
    region: auto  # For R2, use "auto"
    
  # Additional buckets
  personal:
    endpoint: https://xyz789.r2.cloudflarestorage.com
    access_key_id: ...
    secret_access_key: ...
    bucket_name: personal-files
    region: auto

Cloudflare R2 Setup

  1. Go to Cloudflare Dashboard → R2
  2. Create a bucket
  3. Go to R2 API Tokens: https://dash.cloudflare.com/<ACCOUNT_ID>/r2/api-tokens
  4. Create a new API token
    • Important: Apply to specific bucket (select your bucket)
    • Permissions: Object Read & Write
  5. Copy the Access Key ID and Secret Access Key
  6. Use endpoint format: https://<account_id>.r2.cloudflarestorage.com
  7. Set region: auto

AWS S3 Setup

aws-bucket:
  endpoint: https://s3.us-east-1.amazonaws.com
  access_key_id: ...
  secret_access_key: ...
  bucket_name: my-aws-bucket
  region: us-east-1

Usage

Upload a file

r2-upload /path/to/file.pdf
# Returns: https://files.example.com/abc123/file.pdf?signature=...

Upload with custom path

r2-upload /path/to/file.pdf --key uploads/2026/file.pdf

Upload to specific bucket

r2-upload /path/to/file.pdf --bucket personal

Custom expiration (default: 5 minutes)

r2-upload /path/to/file.pdf --expires 24h
r2-upload /path/to/file.pdf --expires 1d
r2-upload /path/to/file.pdf --expires 300  # seconds

Public URL (no signature)

r2-upload /path/to/file.pdf --public

Tools

  • r2_upload - Upload file and get presigned URL
  • r2_list - List recent uploads
  • r2_delete - Delete a file

Environment Variables

  • R2_UPLOAD_CONFIG - Path to config file (default: ~/.r2-upload.yml)
  • R2_DEFAULT_BUCKET - Override default bucket
  • R2_DEFAULT_EXPIRES - Default expiration in seconds (default: 300 = 5 minutes)

Notes

  • Uploaded files are stored with their original filename unless --key is specified
  • Automatic UUID prefix added to prevent collisions (e.g., abc123/file.pdf)
  • Content-Type automatically detected from file extension
  • Presigned URLs expire after the configured duration

Files

10 total
Select a file
Select a file to preview.

Comments

Loading comments…