ClawHub

R2 Storage

Security checks across malware telemetry and agentic risk

Overview

This Cloudflare R2 helper is mostly coherent, but it needs Review because it can reveal storage keys, install code as root, and delete cloud data with limited safeguards.

Review before installing. Use a least-privilege R2 token, avoid the curl-to-sudo installer unless you verify it independently, do not run credential-display commands in shared or logged environments, and treat delete, purge, and sync --delete as potentially irreversible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill clearly invokes shell commands, including installation and data-management operations, yet no explicit permissions are declared. This creates a trust and review gap: users or orchestration systems may underestimate the skill's ability to execute commands with filesystem, network, and remote-storage side effects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The description understates the skill's real capabilities: it supports destructive deletion, full-bucket purge, credential display, and privileged installation from a remote script. This mismatch can mislead users into authorizing a skill for routine storage tasks without appreciating that it can expose secrets or irreversibly destroy data.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This script explicitly prints stored R2 access credentials, including the secret access key, to stdout. Exposing long-lived cloud storage credentials is dangerous because they can be captured from terminal history, logs, screenshots, shell piping, or other tools and then used to access or modify bucket contents outside the intended workflow.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The --raw mode is a machine-readable credential dump that emits the access key and secret key as environment-variable lines, making exfiltration and automation of secret harvesting trivial. In a skill described as storage management, a dedicated raw secret export path is broader and riskier than necessary for normal bucket operations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documented delete and purge commands can irreversibly remove remote objects, including an entire bucket's contents, but no warning or confirmation guidance is provided. In an agent context, terse examples normalize dangerous actions and increase the chance of accidental or automated data loss.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The sync example using '--delete' performs mirroring by removing files from the destination, but the documentation does not explicitly warn about that destructive behavior. Users may interpret sync as additive and unintentionally wipe remote or local data, especially when source and destination are reversed.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill exposes commands that print stored credentials in human-readable or raw JSON form without a privacy warning. This can leak access keys into terminal history, logs, screenshots, chat transcripts, or agent telemetry, enabling unauthorized access to the R2 account.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The single-path deletion branch executes `rclone delete` immediately for any provided path without a confirmation prompt, dry-run, or safeguard. In a storage-management skill, this makes accidental or induced data loss much more likely, especially if an agent passes an overly broad path or user input is ambiguous.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script persists raw Cloudflare R2 credentials in both ~/.config/r2/config.json and ~/.config/rclone/rclone.conf without warning the user about long-term local storage or tightening file permissions. In a storage-management skill, handling credentials is expected, but silently writing secrets to disk increases the risk of credential theft from other local users, backups, logs, or compromised endpoints.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script downloads an install script from the network and immediately executes it with sudo, but provides no explicit warning, verification, or confirmation despite the privileged code execution. This is dangerous because any compromise of the remote host, TLS trust chain, DNS, or delivery path can result in arbitrary root-level command execution on the user's machine.

Missing User Warnings

High
Confidence
95% confidence
Finding
The script reveals stored credentials immediately with no warning, re-authentication, confirmation, masking, or audit control. That makes accidental disclosure easy in shared terminals, recorded sessions, CI environments, or support contexts, and the skill context increases concern because it handles real cloud storage credentials with likely write access.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
---
name: r2
description: Cloudflare R2 Storage management — setup, upload, download, sync via rclone
metadata: {"clawdbot":{"emoji":"☁️","requires":{"bins":["rclone"]},"env":["R2_CONFIG"],"install":[{"id":"rclone","kind":"shell","command":"curl -fsSL https://rclone.org/install.sh | sudo bash","label":"Install rclone"}]}}
---

# r2 ☁️
Confidence
92% confidence
Finding
sudo

External Script Fetching

High
Category
Supply Chain
Content
---
name: r2
description: Cloudflare R2 Storage management — setup, upload, download, sync via rclone
metadata: {"clawdbot":{"emoji":"☁️","requires":{"bins":["rclone"]},"env":["R2_CONFIG"],"install":[{"id":"rclone","kind":"shell","command":"curl -fsSL https://rclone.org/install.sh | sudo bash","label":"Install rclone"}]}}
---

# r2 ☁️
Confidence
98% confidence
Finding
curl -fsSL https://rclone.org/install.sh | sudo bash

External Script Fetching

High
Category
Supply Chain
Content
## Install

```bash
curl -fsSL https://rclone.org/install.sh | sudo bash
```

## Credentials Required
Confidence
98% confidence
Finding
curl -fsSL https://rclone.org/install.sh | sudo bash

Tool Parameter Abuse

High
Category
Tool Misuse
Content
```bash
r2-rm file.txt                           # Delete single file
r2-rm folder/                            # Delete folder contents
r2-purge my-bucket                       # Delete all files in bucket
```
Confidence
82% confidence
Finding
rm folder/

Chaining Abuse

High
Category
Tool Misuse
Content
---
name: r2
description: Cloudflare R2 Storage management — setup, upload, download, sync via rclone
metadata: {"clawdbot":{"emoji":"☁️","requires":{"bins":["rclone"]},"env":["R2_CONFIG"],"install":[{"id":"rclone","kind":"shell","command":"curl -fsSL https://rclone.org/install.sh | sudo bash","label":"Install rclone"}]}}
---

# r2 ☁️
Confidence
97% confidence
Finding
| sudo

Chaining Abuse

High
Category
Tool Misuse
Content
## Install

```bash
curl -fsSL https://rclone.org/install.sh | sudo bash
```

## Credentials Required
Confidence
97% confidence
Finding
| sudo

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal