us3-skill
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: us3 Version: 1.0.0 The OpenClaw AgentSkills skill bundle for UCloud US3 storage appears benign. The `SKILL.md` clearly outlines its purpose to upload files and generate public URLs, requiring UCloud API keys via environment variables, which is standard practice. The `upload.mjs` script correctly parses command-line arguments using `node:util.parseArgs`, preventing direct shell injection into the Node.js script. While the `--key` parameter example in `SKILL.md` shows shell command substitution (`$(date ...)`) for dynamic naming, this is executed by the invoking shell (the AI agent) before the argument reaches the Node.js script, which then treats the result as a literal string for the object key. The script uses standard Node.js modules and the legitimate `ufile` SDK for UCloud interaction. There is no evidence of data exfiltration to unauthorized endpoints, persistence mechanisms, obfuscation, or other malicious behaviors. The ability to read local files is inherent to an upload skill, and there's no indication of intent to access sensitive files beyond what's explicitly provided as input.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A file uploaded with this skill may be accessible to anyone with the returned URL.
The skill is explicitly designed to upload local files and make them reachable through public URLs. This is disclosed and purpose-aligned, but the wrong file selection could expose private data.
`--file` (required): Local file path to upload ... Files are uploaded to a public bucket - URLs are directly accessible
Use it only for files intended to be public, verify the exact file path and object key before upload, and be cautious with batch uploads.
Anyone or any agent process with access to these environment variables may be able to upload to the configured US3 bucket, depending on the key permissions.
The skill requires UCloud credentials to sign upload requests. This is expected for the stated purpose, and the provided code does not show credential logging or unrelated credential use.
`US3_PUBLIC_KEY` - UCloud Public Key (Token) ... `US3_PRIVATE_KEY` - UCloud Private Key
Use a least-privilege UCloud key limited to the intended bucket and upload operations, and rotate the key if it may have been exposed.