ClawHub
Back to skill

Security audit

Send Me My Files - R2 upload with short lived signed urls

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it uploads user-specified files to S3-compatible storage and manages links, with some expected but important cloud-storage risks.

Install only if you trust the agent using it with your local files and cloud bucket. Use bucket-scoped, least-privilege credentials, keep ~/.r2-upload.yml private, avoid public uploads unless intended, and double-check delete requests because the tool deletes the specified remote object immediately.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill explicitly relies on environment variables such as R2_UPLOAD_CONFIG, R2_DEFAULT_BUCKET, and R2_DEFAULT_EXPIRES, but no declared permissions are shown for environment access. Undeclared access to configuration and environment state weakens transparency and consent, and in a credential-handling storage skill this matters because env/config values can contain sensitive paths or secrets.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose emphasizes file upload and presigned downloads, but the skill also exposes listing, deletion, public URL generation, and credential onboarding/storage behaviors. This capability mismatch can mislead users into granting trust or invoking the skill without realizing it can enumerate or delete remote objects and make files publicly accessible.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill metadata says it uploads files and generates signed download links, but the exposed toolset also allows listing and deleting bucket objects. This capability mismatch is dangerous because users or higher-level agents may grant trust based on the narrower description while the skill can perform broader data discovery and destructive actions against configured storage.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill explicitly documents a delete operation for remote objects but provides no warning, confirmation guidance, or safety constraints around destructive use. In an agentic context, this increases the chance of accidental or overly broad deletion from cloud storage, especially when users issue ambiguous natural-language commands or target the wrong bucket/key.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation does not prominently warn that files are sent to third-party cloud providers and that the --public option may expose them without signatures. In a file-handling skill, omission of these data-flow and exposure warnings increases the chance users unintentionally upload sensitive content or create publicly reachable links.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The r2_delete tool immediately deletes any specified object using configured credentials without any confirmation, preview, soft-delete, or policy restriction. In an agent setting, a mistaken prompt, prompt injection, or user misunderstanding could trigger irreversible data loss across the connected bucket.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The onboarding flow interactively collects access keys and writes them to a persistent file in the user's home directory without clearly warning the user that long-lived cloud credentials will be stored on disk. Even though the file is created with mode 0600, this can still increase exposure through backups, endpoint compromise, accidental disclosure, or use on shared systems; in this skill's context, the stored credentials can grant direct access to cloud object storage.

Session Persistence

Medium
Category
Rogue Agent
Content
## Configuration

Create `~/.r2-upload.yml` (or set `R2_UPLOAD_CONFIG` env var):

```yaml
# Default bucket (used when no bucket specified)
Confidence
78% confidence
Finding
Create `~/.r2-upload.yml` (or set `R2_UPLOAD_CONFIG` env var): ```yaml # Default bucket (used when no bucket specified) default: my-bucket # Bucket configurations buckets: my-bucket: endpoint:

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.