ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

r2-uploader

v1.0.2

使用 wrangler 上传文件到 Cloudflare R2。当用户需要上传文件到 R2、批量上传、从 URL 上传、或获取上传后的公开 URL 时使用。关键词:上传、R2、Cloudflare、存储、wrangler、bucket。

0· 64·0 current·0 all-time
byAlex Redisread@redisread
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The declared purpose (upload to Cloudflare R2 via wrangler) matches the instructions, but the skill does not declare required binaries or credentials. The SKILL.md clearly relies on the wrangler CLI, curl, find, xargs, and environment variables like $R2_BUCKET and $R2_DOMAIN, yet requires.env and required binaries are empty — this is an incoherence that should be explained by the author.
!
Instruction Scope
Runtime instructions instruct the agent to search and read local files (e.g., `find /Users/victor -name "<filename>"` and `ls -la`) and to upload arbitrary local files or piped downloads to R2. Searching user directories and bulk upload loops are expected for an uploader tool, but the hard-coded example path (/Users/victor) and broad find/xargs patterns expand scope and could cause accidental exfiltration if the agent runs them with wide input.
Install Mechanism
This is an instruction-only skill with no install spec or code to write to disk, which lowers install risk. However, it implicitly requires external binaries (wrangler, curl, find, xargs) that must already be present; that dependency list is missing from metadata.
!
Credentials
The SKILL.md references environment variables and cloud auth (e.g., $R2_BUCKET, $R2_DOMAIN, and the need to run `wrangler login`), but the skill declares no required env vars or primary credential. Cloudflare credentials (CF account ID, API token, or wrangler-auth) are necessary for wrangler to work; their absence from requires.env is a proportionality/visibility problem.
Persistence & Privilege
The skill does not request persistent or privileged placement (always: false) and does not include install-time modifications. It does instruct creating temporary files under /tmp for uploads, which is normal for the task and confined to its own operation.
What to consider before installing
This skill appears to implement R2 uploads but is missing important metadata and contains potentially risky example commands. Before installing or enabling: 1) Ask the author to declare required binaries (wrangler, curl, find/xargs) and the exact environment variables or credentials needed (Cloudflare account ID, API token, or how auth is expected). 2) Confirm the skill will not run broad searches of your home directory by default—ensure it only accesses user-specified paths. 3) Review and test in a safe environment (no sensitive files) to confirm behavior. 4) If you plan to use it, create a dedicated low-privilege Cloudflare API token scoped only to the target R2 bucket and avoid giving any token that allows broad account access. 5) Do not allow autonomous agent invocation in environments where automatic file discovery could leak data until the above issues are resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c3jm3ax2hhrswhrh6hszfa584164v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

R2 文件上传

使用 wrangler CLI 上传文件到 Cloudflare R2 对象存储。

参数

参数来源说明
bucket$R2_BUCKET 或用户指定R2 存储桶名称
domain$R2_DOMAIN 或用户指定自定义域名(可选)
path自动生成agent/YYYYMMDD/ 格式

核心流程

1. 定位文件

# 用户提供文件名时,查找文件
find /Users/victor -name "<filename>" -type f 2>/dev/null | head -5

# 验证文件存在
ls -la "<file-path>"

2. 生成路径

R2_PATH="agent/$(date +%Y%m%d)/$(basename "<file>")"

3. 执行上传

wrangler r2 object put "$R2_BUCKET/$R2_PATH" --file "<file-path>" --remote

4. 返回 URL

echo "https://$R2_DOMAIN/$R2_PATH"

常用命令

# 列出 buckets
wrangler r2 bucket list

# 上传文件
wrangler r2 object put "<bucket>/<path>/<file>" --file "<local-path>" --remote

# 从 URL 上传
curl -sL "<url>" | wrangler r2 object put "<bucket>/<path>/<file>" --file - --remote

高级功能

URL 格式

上传成功后:

类型URL 格式
默认https://pub-<account-id>.r2.dev/<path>/<file>
自定义域名https://$R2_DOMAIN/<path>/<file>

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…