us3-skill
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do what it advertises—upload selected files to UCloud US3 and return public links—but users should treat uploaded files as publicly accessible and protect the US3 keys.
Install only if you want the agent to upload chosen files to a public US3 bucket. Before each use, confirm the file path, avoid uploading private documents or secrets, verify the bucket domain, and use least-privilege US3 credentials.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A file uploaded with this skill may be accessible to anyone with the returned URL.
The skill is explicitly designed to upload local files and make them reachable through public URLs. This is disclosed and purpose-aligned, but the wrong file selection could expose private data.
`--file` (required): Local file path to upload ... Files are uploaded to a public bucket - URLs are directly accessible
Use it only for files intended to be public, verify the exact file path and object key before upload, and be cautious with batch uploads.
Anyone or any agent process with access to these environment variables may be able to upload to the configured US3 bucket, depending on the key permissions.
The skill requires UCloud credentials to sign upload requests. This is expected for the stated purpose, and the provided code does not show credential logging or unrelated credential use.
`US3_PUBLIC_KEY` - UCloud Public Key (Token) ... `US3_PRIVATE_KEY` - UCloud Private Key
Use a least-privilege UCloud key limited to the intended bucket and upload operations, and rotate the key if it may have been exposed.