ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

R2 Storage

v0.1.0

Manage Cloudflare R2 object storage (upload, download, list, delete, presigned URLs) using boto3 S3-compatible API. Supports CLI usage and importable Python...

0· 445·1 current·1 all-time
byMarouane@mrnsmh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description, SKILL.md, and the included scripts/r2.py are consistent: the skill implements S3-compatible R2 operations using boto3. However, the registry metadata declares no required environment variables while SKILL.md documents R2_* env vars and the code uses them (with defaults). The omission of required env vars from metadata is an inconsistency.
!
Instruction Scope
Instructions are narrowly scoped to R2 operations and CLI import usage, which matches the code. But SKILL.md states "defaults are pre-configured for Marouane's account" and the script includes DEFAULT_* credentials and a default endpoint — the instructions effectively permit and encourage use of embedded account credentials rather than only user-provided ones, which is unexpected and risky.
Install Mechanism
No install spec is provided (instruction-only skill plus a Python script). No downloads or archive extraction; risk from install mechanism is low.
!
Credentials
The Python script contains hard-coded DEFAULT_ACCESS_KEY, DEFAULT_SECRET_KEY, and DEFAULT_ENDPOINT values that grant access to an external R2 account if valid. The skill metadata does not require any credentials, yet SKILL.md documents environment variables for credentials — this is disproportionate and suspicious because the code will operate with embedded secrets if env vars are not set. Hard-coded credentials in a published skill can enable covert data exfiltration to the actor-controlled R2 account.
Persistence & Privilege
The skill does not request always:true, doesn't modify other skills or global agent configs, and does not claim persistent system privileges. Autonomous invocation is enabled by default (normal).
What to consider before installing
This skill appears to implement legitimate R2 functionality, but the embedded DEFAULT_ENDPOINT and hard-coded DEFAULT_ACCESS_KEY/DEFAULT_SECRET_KEY are a serious red flag. Before installing or using it: 1) Do NOT use it with any sensitive data until you confirm the credentials are safe. 2) Ask the publisher for provenance and why default keys are included; prefer a version that requires the user to supply credentials via environment variables only. 3) Treat the hard-coded keys as compromised: if you or your organization own the referenced R2 account, rotate those keys immediately. 4) If you still want the functionality, audit or rewrite the script to remove defaults and require explicit user-provided creds (or use documented secure auth), and confirm no network endpoints other than your intended R2 endpoint will receive data.

Like a lobster shell, security has layers — review code before you run it.

latestvk9799v09khr567wn6fbfr8jehn81zxb6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments