七牛云对象存储操作
v1.0.2使用七牛云 Kodo 与 qshell 执行对象存储操作,包含下载 qshell、配置账号、查询 bucket、上传文件、下载文件。适用于用户提到七牛云、七牛 Kodo、qshell、对象存储上传下载、AK/SK、bucket、key、文件中转、把文件上传到七牛或从七牛下载到本地的场景。
⭐ 0· 92·0 current·0 all-time
by宁伟@kadbbz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description align with the included scripts and SKILL.md: all scripts call qshell to create buckets, upload, download, delete, and the README explains qshell workflows. No unrelated services, binaries, or permissions are requested. Minor inconsistency: registry metadata lists no required env vars/primary credential, but SKILL.md expects QINIU_ACCESS_KEY/QINIU_SECRET_KEY (and prefers storing them in ~/.openclaw/openclaw.json).
Instruction Scope
SKILL.md instructs only qshell-related actions: downloading qshell, configuring account, creating buckets, uploading/downloading/deleting objects. Scripts operate on local files/dirs under provided paths and do not attempt to read unrelated system files. The README's insistence on preserving specific download query parameters and use of a Referer header is unusual but appears to be a pragmatic workaround for that host; it does not imply other data collection.
Install Mechanism
This is an instruction-only skill (no install spec). It recommends downloading qshell from kodo-toolbox-new.qiniu.com — an official-seeming Qiniu domain — and running it locally. No arbitrary third-party installers, URL shorteners, or extract-and-run from unknown servers are used in the package itself. As always, users should verify checksums/signatures of downloaded binaries before execution.
Credentials
The SKILL.md expects QINIU_ACCESS_KEY and QINIU_SECRET_KEY (and suggests storing them in ~/.openclaw/openclaw.json), but the skill metadata does not declare these required env vars nor a primary credential. Requesting AK/SK is appropriate for object-storage operations, but the metadata omission reduces transparency. Also, the docs permit passing keys on the command line for short tests — that can leak secrets via process lists; the README notes not to echo keys but doesn't strongly warn about process-list exposure.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It suggests storing credentials under the agent's own config (~/.openclaw/openclaw.json), which is a scoped and expected place for skill configuration.
Assessment
This skill appears to do what it says: it wraps qshell commands for Qiniu Kodo. Before installing: (1) be aware the SKILL.md expects your QINIU_ACCESS_KEY and QINIU_SECRET_KEY but the registry metadata does not declare them — confirm how you will provide secrets and prefer platform secret storage rather than command-line args; passing keys on the command line can be visible to other users/processes. (2) Verify the qshell download URL and ideally validate its checksum/signature after download; the SKILL.md includes specific query parameters and a Referer header — treat that as an operational detail but still verify the binary. (3) Review and test the included scripts in a safe environment (they operate on provided paths and echo status lines). If you need stronger assurance, ask the author to update the skill metadata to declare the required env vars and to include checksum info for the qshell binary.Like a lobster shell, security has layers — review code before you run it.
latestvk978g9fdxnw65j7m19qnzwgbtd83redm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.