Send Me My Files - R2 upload with short lived signed urls
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: r2-upload Version: 1.0.4 The skill is classified as suspicious due to its inherent powerful capabilities, specifically the ability to read and upload any local file path specified by the agent (`file_path` argument in `r2_upload` in `src/index.ts`), combined with the explicit acknowledgment in `README.md` and `SECURITY.md` of missing security controls such as file size limits, file type restrictions, and comprehensive path sanitization. While these capabilities are necessary for the skill's stated purpose of uploading files to cloud storage, their lack of internal safeguards presents a higher risk profile, as a compromised or malicious agent could exploit them for data exfiltration or denial of service without the skill itself having malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the configured token is broad or compromised, bucket contents could be uploaded, listed, linked, or deleted depending on the token permissions.
The skill requires S3/R2 credentials with object read/write authority so it can upload files and generate links; this is expected for the purpose but grants real cloud-storage authority.
access_key_id: your_access_key secret_access_key: your_secret_key ... Permissions: Object Read & Write
Use a bucket-specific token with the minimum needed permissions, keep ~/.r2-upload.yml private, and rotate credentials if you suspect exposure.
An accidental or poorly reviewed tool invocation could upload the wrong local file, delete a bucket object, or create a non-expiring public link.
The exposed tools can upload, list, delete, and create public links for bucket objects. These operations are disclosed and purpose-aligned, but they are mutating/sharing actions.
- `r2_upload` - Upload file and get presigned URL - `r2_list` - List recent uploads - `r2_delete` - Delete a file ... r2-upload /path/to/file.pdf --public
Require clear user intent before uploads, deletes, public links, or long-lived URLs; prefer short presigned links for sensitive files.
The skill could be used to upload very large files, executable content, or overwrite/use unintended object keys if the agent or user supplies unsafe arguments.
The author discloses that uploads are not bounded by size/type/rate controls and that custom object keys are not fully sanitized.
- ⚠️ No file size limits - ⚠️ No file type restrictions - ⚠️ No rate limiting ... - ⚠️ User can still specify custom `key` parameter
Add size limits, file-type policy, key validation, and confirmation for overwrites/deletes if using this in a production or shared environment.
Users have less registry-level provenance and setup guidance for the code they are asked to install and run.
The registry metadata does not provide a source/homepage or install spec even though the included files contain a Node/TypeScript package and onboarding script.
Source: unknown Homepage: none ... No install spec — this is an instruction-only skill.
Review the included package files before running pnpm/npm commands, and prefer a published source repository with reproducible installation instructions.