file-upload-cli
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do what it says: upload a user-selected file to a public temporary file-hosting service, with clear privacy warnings but some minor metadata and documentation inconsistencies.
This skill is reasonable for temporary public sharing, but treat every upload as public. Confirm the exact file path, avoid sensitive or private content, and be aware that the documentation contains some service-name inconsistencies.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A selected file may be accessible to anyone who obtains the generated link until it expires.
The skill intentionally sends user-selected file contents to an external public provider. This is disclosed and purpose-aligned, but it has privacy impact if the wrong file is uploaded.
Files are uploaded to a public file sharing service: URLs are publicly accessible by anyone who has the link ... Do not upload sensitive, confidential, or private files
Use this only for files you are comfortable sharing publicly, and verify the exact file path before uploading.
If the agent or user supplies the wrong path, a local file could be uploaded to a public service.
The script invokes the local curl binary to upload the command-line file path. This is expected for the upload purpose and uses execFile rather than a shell, but it is still a meaningful file-transfer capability.
await execFileAsync(curlCmd, ['-F', 'reqtype=fileupload', '-F', 'time=72h', '-F', `fileToUpload=@${filePath}`, 'https://litterbox.catbox.moe/resources/internals/api.php']Only invoke the tool with an explicit, intended file path and avoid using it on private documents, credentials, or account data.
Automated installation or compatibility checks may not warn users that curl and Node.js are required.
The skill depends on Node.js and curl, while the registry metadata declares no required binaries and there is no install spec. This is a metadata completeness issue rather than evidence of hidden installation behavior.
Ensure Node.js v14+ and curl are installed
Before use, confirm Node.js and a trusted system curl are installed; maintainers should declare these requirements in metadata.
Users may misunderstand which public file-hosting service receives their file.
This conflicts with the stated litterbox.catbox.moe service and the code endpoint. The mismatch appears to be documentation inconsistency, but it could confuse users about where files are hosted.
URL Format: `https://0x0.st/<random-id>`
Verify the destination before uploading; maintainers should correct the 0x0.st references to match the implemented litterbox.catbox.moe service.