Cloud Storage
v1.0.1Manage files across cloud providers with authentication, cost awareness, and multi-provider operations.
⭐ 2· 1.7k·18 current·19 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the content: auth, cost, and provider patterns for S3, GCS, Azure, Backblaze, R2, Drive/Dropbox/OneDrive are all covered. Including consumer providers (Google Drive, Dropbox, OneDrive) is reasonable. The mention of iCloud correctly notes there is no public file API. Overall capability is coherent with purpose.
Instruction Scope
The runtime instructions (auth.md, providers.md) explicitly reference reading and setting environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, GOOGLE_APPLICATION_CREDENTIALS, AZURE_CLIENT_SECRET, etc.), local credential files (~/.aws/credentials, /path/to/key.json), CLI logins (gcloud, az, aws implicit metadata), and storing refresh tokens. The skill manifest lists no required env vars or config paths—SKILL.md therefore accesses sensitive credentials/configuration without declaring them. The instructions do not direct data to unexpected external endpoints beyond the cloud providers, but they do instruct behaviors (storing refresh tokens) that affect sensitive data handling and persistence decisions.
Install Mechanism
Instruction-only skill with no install spec and no code files. This lowers risk from arbitrary code downloads or installation artifacts.
Credentials
The credentials and secrets referenced are directly relevant to cloud storage management (AWS keys, GCP service account JSON, Azure service principal, OAuth refresh tokens). That is proportionate to the stated purpose. However: (1) many different credential types are discussed (broad surface area), (2) the skill does not declare or require any environment variables or a primary credential in its registry metadata, and (3) instructions mention storing refresh tokens without describing secure storage—these are sensitive choices the user should control.
Persistence & Privilege
always:false and no install steps mean the skill does not request forced persistence. As an instruction-only skill it will only act when invoked (or when the agent is allowed to call it). There is no evidence it tries to modify other skills or system-wide agent settings.
What to consider before installing
This skill is functionally coherent for multi‑cloud file operations, but exercise caution before providing credentials. Key points: (1) The skill text explicitly uses and suggests storing highly sensitive secrets (AWS keys, GCP JSON, Azure client secrets, OAuth refresh tokens) but the registry entry declares no required envs or provenance—ask the author how credentials are expected to be provided and stored. (2) Prefer using least-privilege service accounts/app-specific keys and short-lived or instance role credentials rather than long-lived root keys. (3) Confirm where refresh tokens or stored credentials would be kept and who/what can access them. (4) Because this is instruction-only (no install), no code will be written by the skill itself, but if you allow the agent to act autonomously it can call provider APIs using any credentials you provide—restrict autonomous invocation if you are uncomfortable. (5) If you need higher assurance, request the skill’s source/homepage or a signed provenance, or run the agent in a restricted environment with only ephemeral credentials and audit logging enabled.Like a lobster shell, security has layers — review code before you run it.
latestvk9797msaj6k010b79sm7c6wvz181dnt6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
☁️ Clawdis
OSLinux · macOS · Windows