ClawHub

S3

Work with S3-compatible object storage with proper security, lifecycle policies, and access patterns.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 1.1k · 10 current installs · 10 all-time installs
byIván@ivangdavila
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The SKILL.md content (lifecycle, presigned URLs, versioning, CORS, cost, provider differences) matches the name and description—no unrelated capabilities or requests are present.
Instruction Scope
Instructions are advisory and focused on S3 concepts and operational recommendations; they do not direct the agent to read files, access environment variables, call external endpoints, or perform system actions.
Install Mechanism
No install specification or code files are included (instruction-only), so nothing will be written to disk or fetched at install time.
Credentials
The skill declares no required environment variables, credentials, or config paths—appropriate for a documentation-style skill that only provides guidance.
Persistence & Privilege
always is false and the skill does not request persistent presence or modify system/other-skill settings; autonomous invocation is allowed (platform default) but presents no added risk given the skill is read-only guidance.
Assessment
This is a read-only best-practices document (no code, no installs, no secrets requested). It appears safe to install/use as guidance. When you act on these recommendations in your environment, follow least-privilege for credentials, test lifecycle/replication rules in a non-production bucket first, and be careful when generating or sharing presigned URLs (they are bearer tokens). If you later install tooling or scripts to implement these recommendations, review those specific tools for credentials, network access, and install origins before granting them access.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk971qx4rvzzsqq351xbefsd3td80wkpb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🪣 Clawdis
OSLinux · macOS · Windows

SKILL.md

Public Access Control

  • Default deny public access—only open when explicitly needed (static hosting)
  • Bucket policy vs IAM: bucket policy for cross-account/public, IAM for same-account roles
  • Check both bucket-level AND account-level block settings—account can override bucket
  • For web assets, prefer CDN in front of bucket over direct public access

Presigned URLs

  • Set shortest expiration practical—minutes for immediate use, not days
  • URL is a bearer token—anyone with it has access; treat as secret
  • Specify HTTP method in signature—GET for download, PUT for upload
  • Include Content-Type for uploads—mismatch between signature and request causes 403
  • Generate server-side, never expose credentials to client

Lifecycle Rules

  • Transition to cheaper tiers for infrequent access—but check minimum storage duration penalties
  • Auto-delete for temp files, logs, old versions—prevents unbounded storage growth
  • Clean incomplete multipart uploads—accumulate invisibly; set abort rule (7 days typical)
  • Versioned buckets: separate rules for current vs noncurrent versions

Versioning Behavior

  • Enable before you need it—can't recover deleted objects without versioning
  • "Delete" creates delete marker—object hidden but versions remain; storage still consumed
  • Permanent deletion requires explicit version ID—without it, just adds marker
  • Noncurrent version expiration essential—otherwise old versions accumulate forever

Multipart Uploads

  • Required above 5GB, recommended above 100MB—single PUT has size limits
  • Incomplete uploads invisible in normal listings—consume storage silently
  • Abort incomplete uploads via lifecycle—or manually with list-multipart-uploads
  • Parallel part uploads for speed—parts can upload concurrently

CORS for Browser Access

  • Required for JavaScript direct upload/download—blocked without CORS headers
  • Specify exact origins—avoid wildcard * for authenticated requests
  • Expose headers that JavaScript needs to read—Content-Length, ETag, custom headers
  • AllowedMethods: GET for download, PUT for upload, DELETE if needed

Key Naming

  • Use prefixes like directories: users/123/avatar.jpg—but S3 is flat, not hierarchical
  • Avoid sequential prefixes for high throughput—2024-01-01/file1 can hotspot
  • Random prefix or hash for write-heavy buckets—distributes across partitions
  • No leading slash—/images/file.jpg creates empty-string prefix

Cost Awareness

  • Request volume matters—many small files more expensive than few large files
  • Egress typically costly—CDN reduces egress by caching at edge
  • Minimum storage duration varies by tier—early deletion still charged full period
  • Lifecycle transitions have per-object cost—millions of tiny files expensive to transition

Replication

  • Cross-region for disaster recovery, same-region for compliance copies
  • Versioning required on both source and destination
  • Only new objects replicate—existing objects need manual copy or batch operation
  • Delete markers not replicated by default—explicitly enable if needed

Provider Differences

  • AWS S3: full feature set, most tools assume AWS behavior
  • Cloudflare R2: no egress fees, subset of features
  • Backblaze B2: S3-compatible API, different pricing model
  • MinIO: self-hosted, full S3 API compatibility
  • Check presigned URL compatibility—some providers have quirks

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…