aliyun-oss-upload
v1.0.0阿里云 OSS 文件上传工具,支持上传文件到阿里云对象存储并生成临时访问链接。使用场景:将本地文件上传到 OSS 并获得可分享的临时 URL。需要配置 ALIYUN_OSS_ACCESS_KEY_ID、ALIYUN_OSS_ACCESS_KEY_SECRET、ALIYUN_OSS_ENDPOINT、ALIYUN_OSS_BUCKET 环境变量。
⭐ 3· 1.8k·8 current·8 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, SKILL.md, and the included Python script all align: the skill uploads local files to Alibaba Cloud OSS and generates signed (temporary) URLs. However, the registry metadata lists no required environment variables or primary credential even though the runtime requires ALIYUN_OSS_ACCESS_KEY_ID and ALIYUN_OSS_ACCESS_KEY_SECRET — an inconsistency between declared metadata and actual requirements.
Instruction Scope
SKILL.md directs the agent/user to set the OSS-related env vars, install oss2 via pip, and run the provided script. The script itself only reads the documented OSS env vars, checks local file paths, calls the oss2 API, and prints results — no unrelated file reads, system scans, or external endpoints beyond the configured OSS endpoint.
Install Mechanism
There is no install spec; it's instruction + included Python script. Dependency installation is a standard pip install oss2. No downloads from arbitrary URLs or archive extraction are present.
Credentials
The skill legitimately needs ALIYUN_OSS_ACCESS_KEY_ID, ALIYUN_OSS_ACCESS_KEY_SECRET, ALIYUN_OSS_ENDPOINT, and ALIYUN_OSS_BUCKET — these are appropriate for OSS operations. The concern is that the registry metadata did not declare these required env vars/credentials, which is an omission that can hide the fact that secret credentials are necessary and used at runtime.
Persistence & Privilege
The skill does not request persistent/always-on presence and does not modify other skills or system-wide settings. It runs as an invoked script and uses only its own configuration.
What to consider before installing
This skill's code implements a straightforward OSS uploader and signed-URL generator and uses only the documented OSS environment variables. However: 1) the registry metadata omitted the required secret env vars — treat that as an indicator to be cautious before providing credentials; 2) the package source and homepage are missing and the owner is unknown — prefer code from a known/verified source. Before installing or using: (a) review the included scripts (done here — they look straightforward), (b) avoid putting long-lived root/owner credentials in your shell; create a least-privilege AccessKey for this purpose, or use temporary STS credentials if possible, (c) store secrets in a secure vault instead of plaintext env in shared machines, (d) test the script in an isolated environment, and (e) ask the publisher to correct the registry metadata to declare the required env vars and provide provenance (homepage/repo/signature). If you need higher assurance, request a verified source or run the script only with a restricted test bucket.Like a lobster shell, security has layers — review code before you run it.
latest
阿里云 OSS 文件上传
这个技能提供阿里云 OSS(对象存储服务)的文件上传功能,支持生成带签名的临时访问链接。
快速开始
1. 配置环境变量
使用前必须配置以下环境变量(详见 references/config.md):
export ALIYUN_OSS_ACCESS_KEY_ID="your-access-key-id"
export ALIYUN_OSS_ACCESS_KEY_SECRET="your-access-key-secret"
export ALIYUN_OSS_ENDPOINT="https://oss-cn-hangzhou.aliyuncs.com"
export ALIYUN_OSS_BUCKET="your-bucket-name"
2. 安装依赖
pip install oss2
使用方法
上传文件
python scripts/oss-upload.py upload --file /path/to/local/file.txt
可选参数:
--key:指定 OSS 中的文件名(默认使用本地文件名)--expire:链接有效期(秒,默认 3600)
示例:
# 上传到指定路径
python scripts/oss-upload.py upload --file photo.jpg --key images/photo.jpg --expire 7200
生成临时访问链接
python scripts/oss-upload.py url --key images/photo.jpg --expire 3600
工作流程
-
用户请求上传文件时:
- 确认本地文件路径
- 运行上传脚本
- 返回上传结果和临时访问链接
-
用户已有 OSS 文件需要访问链接时:
- 运行 url 命令生成签名链接
- 返回临时访问 URL
注意事项
- 临时链接有效期默认 1 小时,可根据需求调整
- Bucket 建议设置为私有,通过签名链接安全访问
- 上传大文件时脚本会自动处理,无需额外配置
Comments
Loading comments...