us3-skill

Upload files to UCloud US3 object storage and generate public URLs

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 0 · 206 · 0 current installs · 0 all-time installs

by@qianjunye

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

Name/description match the code: upload local files to UCloud US3 and produce public URLs. The code requires US3_PUBLIC_KEY, US3_PRIVATE_KEY, and US3_BUCKET which are appropriate. However, the registered metadata and SKILL.md also list US3_ENDPOINT although the runtime code does not use it, and the registry claims no required binaries despite examples invoking `node` — a missing runtime declaration is inconsistent with the stated purpose.

ℹ

Instruction Scope

SKILL.md instructs running the bundled node script on arbitrary local files (including /tmp and other paths). That is consistent with an upload tool, but it means the skill can read and transmit any local file the agent is told to upload (exfiltration risk if misused). The instructions reference US3_ENDPOINT and absolute skill paths (/root/clawdbot/skills/us3/upload.mjs), which may not match every runtime environment. The runtime script itself does not access files or variables beyond what it should for uploads.

Install Mechanism

This is marked as instruction-only with no install spec, but the package.json/package-lock and upload.mjs require Node and npm packages (ufile, mime, etc.). The registry declares no required binaries. There is therefore no declared mechanism to ensure dependencies exist (or to install them), which is an operational/coherence problem and increases the chance the skill will fail or be run in an unexpected environment.

ℹ

Credentials

The skill requests US3_PUBLIC_KEY (primary), US3_PRIVATE_KEY, US3_BUCKET and US3_ENDPOINT. The code uses the first three but does not read US3_ENDPOINT, so that variable is unnecessary according to the provided source — a mismatch. The private key is required for signing uploads which is expected, but users should recognize this gives full upload access to the configured public bucket (and could be used to exfiltrate files if misused).

✓

Persistence & Privilege

No elevated persistence requested (always: false). The skill does not attempt to modify other skills or system-wide settings. Autonomous invocation is allowed (default) but not combined with other high-risk flags.

What to consider before installing

This skill's code matches its purpose (upload local files to UCloud US3) but contains several red flags you should consider before installing: - Runtime/dependency gaps: Examples call `node` and the code requires npm packages (ufile, mime) but the skill declares no required binaries and has no install step. Ensure Node and the listed npm deps are installed in the agent environment before use. - Unused/extra env var: SKILL.md and metadata request US3_ENDPOINT but the script does not use it — verify whether your environment needs that variable or if the skill is out of sync with its docs. - Sensitive credentials: The skill needs your US3_PRIVATE_KEY and US3_PUBLIC_KEY. These grant upload access to the bucket; only provide keys you trust, consider using least-privilege credentials, and rotate/revoke keys if you stop using the skill. - Exfiltration risk: The tool will read arbitrary local files you point it at and upload them to a public bucket. Don't run it with paths to secrets or sensitive files unless you intend those files to become publicly accessible. - Operational suggestions: Confirm the bucket domain format is correct for your region, run the script in a sandbox or test account first, install dependencies from trusted sources (npm registry), and consider updating the skill to declare Node as a required binary or to include a safe install step. If you want to proceed, verify/prepare the runtime (Node + npm deps), supply credentials scoped appropriately, and test uploads with non-sensitive files first.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0

Download zip

latestvk9781n7kw5rp5qwt40nbyk15s982044n

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

☁️ Clawdis

EnvUS3_PUBLIC_KEY, US3_PRIVATE_KEY, US3_BUCKET, US3_ENDPOINT

Primary envUS3_PUBLIC_KEY

SKILL.md

UCloud US3 Storage Skill

Upload files to UCloud US3 object storage and generate public URLs.

When to use this skill

Use this skill when:

The user wants to upload files to cloud storage
You need to share files via public URLs
You need to store images, videos, or documents in the cloud
You need to generate shareable links for files

Prerequisites

UCloud US3 account and bucket from https://www.ucloud.cn/
Set environment variables:
- US3_PUBLIC_KEY - UCloud Public Key (Token)
- US3_PRIVATE_KEY - UCloud Private Key
- US3_BUCKET - Bucket domain (e.g., xqm.cn-sh2.ufileos.com)
- US3_ENDPOINT - API endpoint (e.g., https://api.ucloud.cn/)

Usage

Upload files and get public URLs:

# Upload a file
node /root/clawdbot/skills/us3/upload.mjs --file "/path/to/file.jpg"

# Upload with custom key name
node /root/clawdbot/skills/us3/upload.mjs --file "/path/to/file.jpg" --key "custom/path/file.jpg"

# Upload and get URL only
node /root/clawdbot/skills/us3/upload.mjs --file "/path/to/file.jpg" --url-only

Parameters

--file (required): Local file path to upload
--key (optional): Custom object key (path) in bucket. If not provided, uses filename
--url-only (optional): Output only the public URL (default: false)

Examples

# Upload an image
node /root/clawdbot/skills/us3/upload.mjs --file "/tmp/screenshot.png"

# Upload to specific path
node /root/clawdbot/skills/us3/upload.mjs --file "/tmp/video.mp4" --key "videos/2026/video.mp4"

# Upload Feishu downloaded image
node /root/clawdbot/skills/us3/upload.mjs --file "/tmp/feishu_image_123.png" --key "feishu/$(date +%Y%m%d_%H%M%S).png"

# Get just the URL
node /root/clawdbot/skills/us3/upload.mjs --file "/tmp/report.pdf" --url-only

Output

Returns JSON with upload results:

{
  "success": true,
  "url": "https://xqm.cn-sh2.ufileos.com/path/to/file.jpg",
  "key": "path/to/file.jpg",
  "bucket": "xqm.cn-sh2.ufileos.com",
  "size": 123456
}

With --url-only flag, outputs only the URL string:

https://xqm.cn-sh2.ufileos.com/path/to/file.jpg

Supported File Types

Images: JPG, PNG, GIF, WEBP, BMP, SVG
Videos: MP4, MOV, AVI, MKV, WEBM
Documents: PDF, DOC, DOCX, TXT, MD
Audio: MP3, WAV, OGG, M4A
Archives: ZIP, TAR, GZ
Any other file type

Common Use Cases

Upload Feishu Images

When user sends an image via Feishu and wants to share:

Image is auto-downloaded to /tmp/feishu_*.png
Upload to US3: node upload.mjs --file "/tmp/feishu_image_123.png"
Share the returned public URL

Upload Processed Files

After converting/processing files:

# Convert and upload
convert input.jpg -resize 800x600 /tmp/resized.jpg
node /root/clawdbot/skills/us3/upload.mjs --file "/tmp/resized.jpg" --key "images/resized_$(date +%s).jpg"

Batch Upload

Upload multiple files:

for file in /tmp/*.png; do
  node /root/clawdbot/skills/us3/upload.mjs --file "$file" --key "batch/$(basename $file)"
done

Notes

Files are uploaded to a public bucket - URLs are directly accessible
File size limit: Check your UCloud US3 plan limits
The bucket domain format: bucket-name.region.ufileos.com
Use meaningful key names for better organization
Automatic content-type detection based on file extension

Error Handling

Common errors and solutions:

missing_credentials: Set all required environment variables
file_not_found: Check file path exists
upload_failed: Check network connection and credentials
invalid_bucket: Verify bucket name and region

Integration Tips

Works well with:

feishu-media: Upload images from Feishu messages
ffmpeg: Upload processed videos
baidu-ocr: Upload images before/after OCR processing

Files

4 total

Select a file

Select a file to preview.

Comments

Loading comments…