ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Minio Share

v0.1.3

Upload files to MinIO object storage and generate shareable links with Markdown formatting. Use when users ask to send files, share files, upload files, down...

0· 438·0 current·0 all-time
by@sinute
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The overall purpose (upload files to MinIO and generate links) aligns with the code which uses MINIO_* env vars and the Minio client. However the registry metadata claims no required environment variables/credentials while SKILL.md and the script require MINIO_API_URL, MINIO_CONSOLE_URL, MINIO_ACCESS_KEY, MINIO_SECRET_KEY, and MINIO_BUCKET — this mismatch is incoherent and should be resolved before trusting the skill.
!
Instruction Scope
SKILL.md promises rich Markdown output (file info, inline image previews, embedded video player) and describes automatically downloading a file if given a URL. The included script does not implement download-from-URL and in non-JSON mode prints only the presigned URL (JSON mode returns a simple object with presigned and console URLs). The documentation overpromises features the code does not provide.
Install Mechanism
There is no install spec in the registry (instruction-only install), and SKILL.md instructs users to pip install the 'minio' package. This is reasonable and low-risk, but the absence of an install spec means the environment must already be prepared by the user/agent; verify the correct package and version are installed.
!
Credentials
The environment variables the script requires (MINIO_API_URL, MINIO_CONSOLE_URL, MINIO_ACCESS_KEY, MINIO_SECRET_KEY, MINIO_BUCKET) are appropriate for MinIO access. However the skill registry metadata did not declare any required env vars or a primary credential — this discrepancy is misleading. Also note that supplying access/secret keys grants write access to the target MinIO account/bucket, so credentials should be scoped and rotated.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does not modify other skills or system-wide settings. Autonomous invocation is allowed but is the platform default and not by itself a red flag here.
What to consider before installing
This skill performs MinIO uploads and needs MINIO_* credentials — make sure you only provide scoped, short-lived credentials for the specific bucket. Note the registry metadata omits the required environment variables; confirm and correct that before installing. The README promises rich Markdown previews and automatic download-from-URL behavior, but the bundled script only uploads a local file and prints a presigned URL (or a small JSON blob) — if you need the promised Markdown/preview behavior you should inspect/modify the script. Avoid using the --insecure option in production (it disables SSL verification). Because the publisher and homepage are unknown, review the script yourself, test in an isolated environment, and prefer least-privilege credentials (write-limited to the intended bucket) and key rotation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cxctn746k7jfeqd8dty1rfh81tvwe

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments