ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

文件上传,本地文件转网络路径

v1.0.2

将本地文件(图片、文档、视频等)上传到 tiaowulan.com.cn 并返回网络访问路径。触发场景:(1) 用户说"上传文件"、"上传图片"、"上传文档",(2) 需要将本地文件转换为网络 URL,(3) 用户提供文件并要求生成可直接网页引用的链接。

0· 91·0 current·0 all-time
by@piaoleaf
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The top-level description (in the registry header) says upload to tiaowulan.com.cn, while the SKILL.md implements uploads to xcx.szmpy.com and references logging in at szmpy.com and '阿里云 OSS' — these mismatched endpoints/domains suggest the metadata and runtime instructions are inconsistent. A legitimate uploader should consistently declare which service it targets.
Instruction Scope
The SKILL.md runtime instructions are narrowly scoped to: read a local config in $HOME, validate a single file, and POST it to an external API. That is coherent with an uploader. However: (1) the script expects jq, curl, stat, grep but the skill metadata declares no required binaries; (2) the script has logic/typo problems (contradictory stated max size '4MB' vs code checking ~100MB and a likely syntax error in the size check), and (3) it extracts the first URL from the response by a broad grep which could accidentally return unrelated URLs. These are functional problems and increase risk of unexpected behavior.
Install Mechanism
No install spec and no code files beyond SKILL.md (instruction-only). This minimizes install-time risk — nothing is downloaded or written by an installer. The only persistent artifact is the user-created config file under $HOME if the user runs the config command.
Credentials
The skill does not request environment variables or system-wide credentials; it asks the user to store a JWT and Device-ID locally in $HOME/.file-uploader.json (chmod 600). Storing the JWT locally is plausible for this use, but the skill's metadata should have declared required tools and the need for these credentials. Verify you trust the remote service before giving it any JWT, since that token grants upload capability to the remote endpoint.
Persistence & Privilege
always:false and no installation/install scripts are present. The skill does write a local config file only if the user runs the provided config command, which is within expected behavior for this kind of utility.
What to consider before installing
Do not install blindly. Before using: (1) verify which domain/service you intend to upload to — the registry header and SKILL.md disagree (tiaowulan.com.cn vs szmpy.com/xcx.szmpy.com). Confirm the correct, trusted endpoint. (2) Expect the script to need jq, curl and standard Unix tools even though the metadata doesn't list them — install those tools or inspect the script first. (3) Test with a non-sensitive small file to confirm actual file size limits and behavior (SKILL.md claims 4MB but the script's check appears to use ~100MB and contains a syntax bug). (4) Understand that giving the JWT to this tool allows the remote service to receive your files — don't provide credentials or sensitive files unless you trust the destination. (5) If you need this skill, request the author correct the metadata (correct domain, list required binaries, fix size-check and parsing bugs) or provide a signed/official source so you can verify authenticity.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c7s3ab4x3m0j75a51d711p184zseh
91downloads
0stars
3versions
Updated 5d ago
v1.0.2
MIT-0
@piaoleaf
latest
Download

name file-uploader description 将本地文件(图片、文档、视频等)上传至阿里云 OSS 并返回可直接访问的网络 URL。

触发场景: 1、用户说 “上传文件”“上传图片”“上传文档” 2、需要将本地文件转换为网络 URL 3、用户提供文件并要求生成可直接网页引用的链接

配置方式 需要配置 JWT Token 和 Device-ID: JWT Token:登录 https://www.szmpy.com 获取 Device-ID:由管理员分配

支持文件类型 图片:jpg、jpeg、png、gif、webp、svg、bmp文档:pdf、doc、docx、xls、xlsx、ppt、pptx视频:mp4、avi、mov、mkv、webm音频:mp3、wav、flac、aac压缩包:zip、rar、tar、gz

安全限制 文件大小最大 4MB 仅允许白名单内文件类型 凭证仅保存在本地用户目录,权限 600 所有错误信息脱敏,不暴露服务端细节

实现逻辑(curl) #!/bin/bash CONFIG="$HOME/.file-uploader.json" UPLOAD_URL="https://xcx.szmpy.com/api/image/uploadfile"

if [ "$1" = "config" ]; then shift jq -n
--arg token "$2"
--arg device "$4"
'{jwt_token: $token, device_id: $device}' > "$CONFIG" chmod 600 "$CONFIG" echo "配置已保存" exit 0 fi

FILE="$1"

if [ ! -f "$CONFIG" ]; then echo "未配置,请先执行 file-uploader config --token ... --device-id ..." exit 1 fi

JWT=$(jq -r .jwt_token "$CONFIG") DEVICE=$(jq -r .device_id "$CONFIG")

if [ ! -f "$FILE" ]; then echo "文件不存在" exit 1 fi

EXT="${FILE##*.}" EXT=$(echo "$EXT" | tr A-Z a-z) ALLOWED="jpg,jpeg,png,gif,webp,svg,bmp,pdf,doc,docx,xls,xlsx,ppt,pptx,mp4,avi,mov,mkv,webm,mp3,wav,flac,aac,zip,rar,tar,gz"

if ! echo "$ALLOWED" | grep -qw "$EXT"; then echo "不支持的文件类型" exit 1 fi

SIZE=$(stat -c%s "$FILE" 2>/dev/null || stat -f%z "$FILE") if [ "$SIZE" -gt $((10010241024) ]; then echo "文件超过大小限制" exit 1 fi

RESP=$(curl -s -X POST
-H "Authorization: Bearer $JWT"
-H "Device-ID: $DEVICE"
-F "file=@$FILE"
--connect-timeout 10
--max-time 60
"$UPLOAD_URL")

URL=$(echo "$RESP" | grep -Eo 'https?://[^"]+' | head -n 1)

if [ -n "$URL" ]; then echo "SUCCESS" echo "URL: $URL" echo "{"code":1,"url":"$URL"}" else echo "UPLOAD FAILED" echo "{"code":0,"url":null}" exit 1 fi

输出格式 成功:code=1,msg=url

Comments

Loading comments...